From 09248fa0db08ab01f003b5fbea88f407faa86ca7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 9 Sep 2011 10:10:03 -0400 Subject: [PATCH] Move modules to contrib submodule. --- policy/modules/admin/acct.fc | 9 - policy/modules/admin/acct.if | 80 -- policy/modules/admin/acct.te | 89 -- policy/modules/admin/alsa.fc | 20 - policy/modules/admin/alsa.if | 208 ---- policy/modules/admin/alsa.te | 84 -- policy/modules/admin/amanda.fc | 26 - policy/modules/admin/amanda.if | 161 --- policy/modules/admin/amanda.te | 211 ---- policy/modules/admin/amtu.fc | 1 - policy/modules/admin/amtu.if | 46 - policy/modules/admin/amtu.te | 34 - policy/modules/admin/anaconda.fc | 1 - policy/modules/admin/anaconda.if | 1 - policy/modules/admin/anaconda.te | 59 - policy/modules/admin/apt.fc | 21 - policy/modules/admin/apt.if | 225 ---- policy/modules/admin/apt.te | 162 --- policy/modules/admin/backup.fc | 13 - policy/modules/admin/backup.if | 45 - policy/modules/admin/backup.te | 85 -- policy/modules/admin/brctl.fc | 1 - policy/modules/admin/brctl.if | 20 - policy/modules/admin/brctl.te | 44 - policy/modules/admin/certwatch.fc | 1 - policy/modules/admin/certwatch.if | 78 -- policy/modules/admin/certwatch.te | 53 - policy/modules/admin/ddcprobe.fc | 4 - policy/modules/admin/ddcprobe.if | 45 - policy/modules/admin/ddcprobe.te | 51 - policy/modules/admin/dmidecode.fc | 4 - policy/modules/admin/dmidecode.if | 50 - policy/modules/admin/dmidecode.te | 30 - policy/modules/admin/dpkg.fc | 12 - policy/modules/admin/dpkg.if | 226 ---- policy/modules/admin/dpkg.te | 338 ------ policy/modules/admin/firstboot.fc | 3 - policy/modules/admin/firstboot.if | 157 --- policy/modules/admin/firstboot.te | 135 --- policy/modules/admin/kdump.fc | 5 - policy/modules/admin/kdump.if | 111 -- policy/modules/admin/kdump.te | 38 - policy/modules/admin/kismet.fc | 6 - policy/modules/admin/kismet.if | 247 ----- policy/modules/admin/kismet.te | 101 -- policy/modules/admin/kudzu.fc | 5 - policy/modules/admin/kudzu.if | 64 -- policy/modules/admin/kudzu.te | 145 --- policy/modules/admin/logrotate.fc | 9 - policy/modules/admin/logrotate.if | 120 -- policy/modules/admin/logrotate.te | 230 ---- policy/modules/admin/logwatch.fc | 7 - policy/modules/admin/logwatch.if | 38 - policy/modules/admin/logwatch.te | 147 --- policy/modules/admin/mcelog.fc | 1 - policy/modules/admin/mcelog.if | 20 - policy/modules/admin/mcelog.te | 32 - policy/modules/admin/mrtg.fc | 18 - policy/modules/admin/mrtg.if | 20 - policy/modules/admin/mrtg.te | 160 --- policy/modules/admin/ncftool.fc | 1 - policy/modules/admin/ncftool.if | 48 - policy/modules/admin/ncftool.te | 78 -- policy/modules/admin/passenger.fc | 11 - policy/modules/admin/passenger.if | 39 - policy/modules/admin/passenger.te | 77 -- policy/modules/admin/portage.fc | 33 - policy/modules/admin/portage.if | 316 ------ policy/modules/admin/portage.te | 326 ------ policy/modules/admin/prelink.fc | 11 - policy/modules/admin/prelink.if | 204 ---- policy/modules/admin/prelink.te | 164 --- policy/modules/admin/quota.fc | 19 - policy/modules/admin/quota.if | 85 -- policy/modules/admin/quota.te | 84 -- policy/modules/admin/readahead.fc | 3 - policy/modules/admin/readahead.if | 1 - policy/modules/admin/readahead.te | 101 -- policy/modules/admin/rpm.fc | 52 - policy/modules/admin/rpm.if | 578 ---------- policy/modules/admin/rpm.te | 395 ------- policy/modules/admin/sectoolm.fc | 4 - policy/modules/admin/sectoolm.if | 2 - policy/modules/admin/sectoolm.te | 106 -- policy/modules/admin/shorewall.fc | 16 - policy/modules/admin/shorewall.if | 202 ---- policy/modules/admin/shorewall.te | 108 -- policy/modules/admin/shutdown.fc | 7 - policy/modules/admin/shutdown.if | 69 -- policy/modules/admin/shutdown.te | 63 -- policy/modules/admin/smoltclient.fc | 2 - policy/modules/admin/smoltclient.if | 1 - policy/modules/admin/smoltclient.te | 68 -- policy/modules/admin/sosreport.fc | 1 - policy/modules/admin/sosreport.if | 129 --- policy/modules/admin/sosreport.te | 148 --- policy/modules/admin/sxid.fc | 6 - policy/modules/admin/sxid.if | 22 - policy/modules/admin/sxid.te | 97 -- policy/modules/admin/tmpreaper.fc | 2 - policy/modules/admin/tmpreaper.if | 21 - policy/modules/admin/tmpreaper.te | 74 -- policy/modules/admin/tripwire.fc | 10 - policy/modules/admin/tripwire.if | 190 ---- policy/modules/admin/tripwire.te | 146 --- policy/modules/admin/tzdata.fc | 1 - policy/modules/admin/tzdata.if | 45 - policy/modules/admin/tzdata.te | 36 - policy/modules/admin/updfstab.fc | 3 - policy/modules/admin/updfstab.if | 21 - policy/modules/admin/updfstab.te | 116 -- policy/modules/admin/usbmodules.fc | 9 - policy/modules/admin/usbmodules.if | 46 - policy/modules/admin/usbmodules.te | 47 - policy/modules/admin/usermanage.te | 4 +- policy/modules/admin/vbetool.fc | 1 - policy/modules/admin/vbetool.if | 45 - policy/modules/admin/vbetool.te | 51 - policy/modules/admin/vpn.fc | 13 - policy/modules/admin/vpn.if | 139 --- policy/modules/admin/vpn.te | 121 -- policy/modules/apps/ada.fc | 7 - policy/modules/apps/ada.if | 45 - policy/modules/apps/ada.te | 24 - policy/modules/apps/authbind.fc | 3 - policy/modules/apps/authbind.if | 20 - policy/modules/apps/authbind.te | 31 - policy/modules/apps/awstats.fc | 5 - policy/modules/apps/awstats.if | 42 - policy/modules/apps/awstats.te | 85 -- policy/modules/apps/calamaris.fc | 10 - policy/modules/apps/calamaris.if | 21 - policy/modules/apps/calamaris.te | 83 -- policy/modules/apps/cdrecord.fc | 6 - policy/modules/apps/cdrecord.if | 33 - policy/modules/apps/cdrecord.te | 120 -- policy/modules/apps/cpufreqselector.fc | 1 - policy/modules/apps/cpufreqselector.if | 22 - policy/modules/apps/cpufreqselector.te | 55 - policy/modules/apps/evolution.fc | 21 - policy/modules/apps/evolution.if | 153 --- policy/modules/apps/evolution.te | 618 ----------- policy/modules/apps/games.fc | 66 -- policy/modules/apps/games.if | 51 - policy/modules/apps/games.te | 181 --- policy/modules/apps/gift.fc | 6 - policy/modules/apps/gift.if | 42 - policy/modules/apps/gift.te | 147 --- policy/modules/apps/gitosis.fc | 5 - policy/modules/apps/gitosis.if | 86 -- policy/modules/apps/gitosis.te | 41 - policy/modules/apps/gnome.fc | 9 - policy/modules/apps/gnome.if | 190 ---- policy/modules/apps/gnome.te | 77 -- policy/modules/apps/gpg.fc | 9 - policy/modules/apps/gpg.if | 181 --- policy/modules/apps/gpg.te | 359 ------ policy/modules/apps/irc.fc | 11 - policy/modules/apps/irc.if | 31 - policy/modules/apps/irc.te | 103 -- policy/modules/apps/java.fc | 38 - policy/modules/apps/java.if | 200 ---- policy/modules/apps/java.te | 156 --- policy/modules/apps/kdumpgui.fc | 1 - policy/modules/apps/kdumpgui.if | 2 - policy/modules/apps/kdumpgui.te | 65 -- policy/modules/apps/livecd.fc | 1 - policy/modules/apps/livecd.if | 104 -- policy/modules/apps/livecd.te | 35 - policy/modules/apps/loadkeys.fc | 3 - policy/modules/apps/loadkeys.if | 67 -- policy/modules/apps/loadkeys.te | 50 - policy/modules/apps/lockdev.fc | 2 - policy/modules/apps/lockdev.if | 33 - policy/modules/apps/lockdev.te | 39 - policy/modules/apps/mono.fc | 1 - policy/modules/apps/mono.if | 138 --- policy/modules/apps/mono.te | 52 - policy/modules/apps/mozilla.fc | 29 - policy/modules/apps/mozilla.if | 306 ------ policy/modules/apps/mozilla.te | 455 -------- policy/modules/apps/mplayer.fc | 14 - policy/modules/apps/mplayer.if | 104 -- policy/modules/apps/mplayer.te | 314 ------ policy/modules/apps/podsleuth.fc | 3 - policy/modules/apps/podsleuth.if | 45 - policy/modules/apps/podsleuth.te | 89 -- policy/modules/apps/ptchown.fc | 1 - policy/modules/apps/ptchown.if | 44 - policy/modules/apps/ptchown.te | 31 - policy/modules/apps/pulseaudio.fc | 7 - policy/modules/apps/pulseaudio.if | 260 ----- policy/modules/apps/pulseaudio.te | 150 --- policy/modules/apps/qemu.fc | 4 - policy/modules/apps/qemu.if | 309 ------ policy/modules/apps/qemu.te | 128 --- policy/modules/apps/rssh.fc | 1 - policy/modules/apps/rssh.if | 103 -- policy/modules/apps/rssh.te | 105 -- policy/modules/apps/sambagui.fc | 1 - policy/modules/apps/sambagui.if | 2 - policy/modules/apps/sambagui.te | 61 -- policy/modules/apps/screen.fc | 15 - policy/modules/apps/screen.if | 163 --- policy/modules/apps/screen.te | 26 - policy/modules/apps/slocate.fc | 2 - policy/modules/apps/slocate.if | 41 - policy/modules/apps/slocate.te | 70 -- policy/modules/apps/telepathy.fc | 18 - policy/modules/apps/telepathy.if | 181 --- policy/modules/apps/telepathy.te | 380 ------- policy/modules/apps/thunderbird.fc | 6 - policy/modules/apps/thunderbird.if | 63 -- policy/modules/apps/thunderbird.te | 210 ---- policy/modules/apps/tvtime.fc | 5 - policy/modules/apps/tvtime.if | 40 - policy/modules/apps/tvtime.te | 93 -- policy/modules/apps/uml.fc | 14 - policy/modules/apps/uml.if | 99 -- policy/modules/apps/uml.te | 191 ---- policy/modules/apps/userhelper.fc | 9 - policy/modules/apps/userhelper.if | 258 ----- policy/modules/apps/userhelper.te | 14 - policy/modules/apps/usernetctl.fc | 2 - policy/modules/apps/usernetctl.if | 64 -- policy/modules/apps/usernetctl.te | 69 -- policy/modules/apps/vlock.fc | 1 - policy/modules/apps/vlock.if | 46 - policy/modules/apps/vlock.te | 53 - policy/modules/apps/vmware.fc | 71 -- policy/modules/apps/vmware.if | 104 -- policy/modules/apps/vmware.te | 286 ----- policy/modules/apps/webalizer.fc | 10 - policy/modules/apps/webalizer.if | 45 - policy/modules/apps/webalizer.te | 109 -- policy/modules/apps/wine.fc | 21 - policy/modules/apps/wine.if | 178 --- policy/modules/apps/wine.te | 64 -- policy/modules/apps/wireshark.fc | 3 - policy/modules/apps/wireshark.if | 55 - policy/modules/apps/wireshark.te | 122 --- policy/modules/apps/wm.fc | 4 - policy/modules/apps/wm.if | 111 -- policy/modules/apps/wm.te | 9 - policy/modules/apps/xscreensaver.fc | 1 - policy/modules/apps/xscreensaver.if | 30 - policy/modules/apps/xscreensaver.te | 44 - policy/modules/apps/yam.fc | 6 - policy/modules/apps/yam.if | 66 -- policy/modules/apps/yam.te | 124 --- policy/modules/roles/auditadm.te | 2 +- policy/modules/roles/dbadm.fc | 1 - policy/modules/roles/dbadm.if | 50 - policy/modules/roles/dbadm.te | 60 - policy/modules/roles/guest.fc | 1 - policy/modules/roles/guest.if | 50 - policy/modules/roles/guest.te | 17 - policy/modules/roles/webadm.fc | 1 - policy/modules/roles/webadm.if | 50 - policy/modules/roles/webadm.te | 55 - policy/modules/roles/xguest.fc | 1 - policy/modules/roles/xguest.if | 50 - policy/modules/roles/xguest.te | 98 -- policy/modules/services/abrt.fc | 20 - policy/modules/services/abrt.if | 303 ----- policy/modules/services/abrt.te | 227 ---- policy/modules/services/accountsd.fc | 3 - policy/modules/services/accountsd.if | 145 --- policy/modules/services/accountsd.te | 57 - policy/modules/services/afs.fc | 32 - policy/modules/services/afs.if | 109 -- policy/modules/services/afs.te | 355 ------ policy/modules/services/aiccu.fc | 6 - policy/modules/services/aiccu.if | 95 -- policy/modules/services/aiccu.te | 76 -- policy/modules/services/aide.fc | 6 - policy/modules/services/aide.if | 71 -- policy/modules/services/aide.te | 42 - policy/modules/services/aisexec.fc | 9 - policy/modules/services/aisexec.if | 106 -- policy/modules/services/aisexec.te | 102 -- policy/modules/services/amavis.fc | 18 - policy/modules/services/amavis.if | 261 ----- policy/modules/services/amavis.te | 194 ---- policy/modules/services/apache.fc | 111 -- policy/modules/services/apache.if | 1218 --------------------- policy/modules/services/apache.te | 901 --------------- policy/modules/services/apcupsd.fc | 15 - policy/modules/services/apcupsd.if | 168 --- policy/modules/services/apcupsd.te | 127 --- policy/modules/services/apm.fc | 23 - policy/modules/services/apm.if | 113 -- policy/modules/services/apm.te | 232 ---- policy/modules/services/arpwatch.fc | 12 - policy/modules/services/arpwatch.if | 156 --- policy/modules/services/arpwatch.te | 98 -- policy/modules/services/asterisk.fc | 9 - policy/modules/services/asterisk.if | 92 -- policy/modules/services/asterisk.te | 170 --- policy/modules/services/automount.fc | 16 - policy/modules/services/automount.if | 168 --- policy/modules/services/automount.te | 182 --- policy/modules/services/avahi.fc | 9 - policy/modules/services/avahi.if | 166 --- policy/modules/services/avahi.te | 112 -- policy/modules/services/bind.fc | 63 -- policy/modules/services/bind.if | 399 ------- policy/modules/services/bind.te | 260 ----- policy/modules/services/bitlbee.fc | 6 - policy/modules/services/bitlbee.if | 59 - policy/modules/services/bitlbee.te | 94 -- policy/modules/services/bluetooth.fc | 30 - policy/modules/services/bluetooth.if | 228 ---- policy/modules/services/bluetooth.te | 244 ----- policy/modules/services/bugzilla.fc | 4 - policy/modules/services/bugzilla.if | 77 -- policy/modules/services/bugzilla.te | 50 - policy/modules/services/canna.fc | 23 - policy/modules/services/canna.if | 61 -- policy/modules/services/canna.te | 93 -- policy/modules/services/ccs.fc | 6 - policy/modules/services/ccs.if | 75 -- policy/modules/services/ccs.te | 122 --- policy/modules/services/certmaster.fc | 8 - policy/modules/services/certmaster.if | 145 --- policy/modules/services/certmaster.te | 71 -- policy/modules/services/certmonger.fc | 6 - policy/modules/services/certmonger.if | 174 --- policy/modules/services/certmonger.te | 72 -- policy/modules/services/cgroup.fc | 15 - policy/modules/services/cgroup.if | 199 ---- policy/modules/services/cgroup.te | 109 -- policy/modules/services/chronyd.fc | 9 - policy/modules/services/chronyd.if | 105 -- policy/modules/services/chronyd.te | 68 -- policy/modules/services/cipe.fc | 4 - policy/modules/services/cipe.if | 1 - policy/modules/services/cipe.te | 72 -- policy/modules/services/clamav.fc | 20 - policy/modules/services/clamav.if | 192 ---- policy/modules/services/clamav.te | 275 ----- policy/modules/services/clockspeed.fc | 14 - policy/modules/services/clockspeed.if | 44 - policy/modules/services/clockspeed.te | 72 -- policy/modules/services/clogd.fc | 3 - policy/modules/services/clogd.if | 79 -- policy/modules/services/clogd.te | 54 - policy/modules/services/cmirrord.fc | 5 - policy/modules/services/cmirrord.if | 113 -- policy/modules/services/cmirrord.te | 58 - policy/modules/services/cobbler.fc | 7 - policy/modules/services/cobbler.if | 185 ---- policy/modules/services/cobbler.te | 128 --- policy/modules/services/colord.fc | 4 - policy/modules/services/colord.if | 59 - policy/modules/services/colord.te | 100 -- policy/modules/services/comsat.fc | 2 - policy/modules/services/comsat.if | 1 - policy/modules/services/comsat.te | 74 -- policy/modules/services/consolekit.fc | 7 - policy/modules/services/consolekit.if | 98 -- policy/modules/services/consolekit.te | 131 --- policy/modules/services/corosync.fc | 12 - policy/modules/services/corosync.if | 106 -- policy/modules/services/corosync.te | 103 -- policy/modules/services/courier.fc | 30 - policy/modules/services/courier.if | 216 ---- policy/modules/services/courier.te | 148 --- policy/modules/services/cpucontrol.fc | 10 - policy/modules/services/cpucontrol.if | 17 - policy/modules/services/cpucontrol.te | 122 --- policy/modules/services/cron.fc | 47 - policy/modules/services/cron.if | 633 ----------- policy/modules/services/cron.te | 628 ----------- policy/modules/services/cups.fc | 73 -- policy/modules/services/cups.if | 358 ------ policy/modules/services/cups.te | 781 ------------- policy/modules/services/cvs.fc | 10 - policy/modules/services/cvs.if | 82 -- policy/modules/services/cvs.te | 115 -- policy/modules/services/cyphesis.fc | 5 - policy/modules/services/cyphesis.if | 19 - policy/modules/services/cyphesis.te | 85 -- policy/modules/services/cyrus.fc | 7 - policy/modules/services/cyrus.if | 81 -- policy/modules/services/cyrus.te | 145 --- policy/modules/services/dante.fc | 6 - policy/modules/services/dante.if | 1 - policy/modules/services/dante.te | 79 -- policy/modules/services/dbskk.fc | 2 - policy/modules/services/dbskk.if | 1 - policy/modules/services/dbskk.te | 69 -- policy/modules/services/dbus.fc | 17 - policy/modules/services/dbus.if | 500 --------- policy/modules/services/dbus.te | 162 --- policy/modules/services/dcc.fc | 21 - policy/modules/services/dcc.if | 173 --- policy/modules/services/dcc.te | 404 ------- policy/modules/services/ddclient.fc | 12 - policy/modules/services/ddclient.if | 93 -- policy/modules/services/ddclient.te | 108 -- policy/modules/services/denyhosts.fc | 7 - policy/modules/services/denyhosts.if | 85 -- policy/modules/services/denyhosts.te | 72 -- policy/modules/services/devicekit.fc | 14 - policy/modules/services/devicekit.if | 185 ---- policy/modules/services/devicekit.te | 284 ----- policy/modules/services/dhcp.fc | 8 - policy/modules/services/dhcp.if | 99 -- policy/modules/services/dhcp.te | 124 --- policy/modules/services/dictd.fc | 9 - policy/modules/services/dictd.if | 57 - policy/modules/services/dictd.te | 98 -- policy/modules/services/distcc.fc | 2 - policy/modules/services/distcc.if | 1 - policy/modules/services/distcc.te | 93 -- policy/modules/services/djbdns.fc | 9 - policy/modules/services/djbdns.if | 90 -- policy/modules/services/djbdns.te | 49 - policy/modules/services/dkim.fc | 9 - policy/modules/services/dkim.if | 1 - policy/modules/services/dkim.te | 31 - policy/modules/services/dnsmasq.fc | 12 - policy/modules/services/dnsmasq.if | 211 ---- policy/modules/services/dnsmasq.te | 117 -- policy/modules/services/dovecot.fc | 43 - policy/modules/services/dovecot.if | 130 --- policy/modules/services/dovecot.te | 306 ------ policy/modules/services/entropyd.fc | 8 - policy/modules/services/entropyd.if | 1 - policy/modules/services/entropyd.te | 80 -- policy/modules/services/exim.fc | 8 - policy/modules/services/exim.if | 196 ---- policy/modules/services/exim.te | 203 ---- policy/modules/services/fail2ban.fc | 8 - policy/modules/services/fail2ban.if | 175 --- policy/modules/services/fail2ban.te | 98 -- policy/modules/services/fetchmail.fc | 19 - policy/modules/services/fetchmail.if | 30 - policy/modules/services/fetchmail.te | 104 -- policy/modules/services/finger.fc | 19 - policy/modules/services/finger.if | 33 - policy/modules/services/finger.te | 121 -- policy/modules/services/fprintd.fc | 2 - policy/modules/services/fprintd.if | 41 - policy/modules/services/fprintd.te | 57 - policy/modules/services/ftp.fc | 31 - policy/modules/services/ftp.if | 206 ---- policy/modules/services/ftp.te | 412 ------- policy/modules/services/gatekeeper.fc | 8 - policy/modules/services/gatekeeper.if | 1 - policy/modules/services/gatekeeper.te | 99 -- policy/modules/services/git.fc | 11 - policy/modules/services/git.if | 50 - policy/modules/services/git.te | 227 ---- policy/modules/services/gnomeclock.fc | 2 - policy/modules/services/gnomeclock.if | 65 -- policy/modules/services/gnomeclock.te | 46 - policy/modules/services/gpm.fc | 7 - policy/modules/services/gpm.if | 81 -- policy/modules/services/gpm.te | 79 -- policy/modules/services/gpsd.fc | 6 - policy/modules/services/gpsd.if | 66 -- policy/modules/services/gpsd.te | 64 -- policy/modules/services/hadoop.fc | 59 - policy/modules/services/hadoop.if | 534 --------- policy/modules/services/hadoop.te | 440 -------- policy/modules/services/hal.fc | 33 - policy/modules/services/hal.if | 433 -------- policy/modules/services/hal.te | 531 --------- policy/modules/services/hddtemp.fc | 5 - policy/modules/services/hddtemp.if | 77 -- policy/modules/services/hddtemp.te | 49 - policy/modules/services/howl.fc | 5 - policy/modules/services/howl.if | 19 - policy/modules/services/howl.te | 80 -- policy/modules/services/i18n_input.fc | 19 - policy/modules/services/i18n_input.if | 15 - policy/modules/services/i18n_input.te | 102 -- policy/modules/services/icecast.fc | 7 - policy/modules/services/icecast.if | 188 ---- policy/modules/services/icecast.te | 61 -- policy/modules/services/ifplugd.fc | 7 - policy/modules/services/ifplugd.if | 133 --- policy/modules/services/ifplugd.te | 76 -- policy/modules/services/imaze.fc | 4 - policy/modules/services/imaze.if | 1 - policy/modules/services/imaze.te | 99 -- policy/modules/services/inetd.fc | 12 - policy/modules/services/inetd.if | 205 ---- policy/modules/services/inetd.te | 242 ---- policy/modules/services/inn.fc | 67 -- policy/modules/services/inn.if | 224 ---- policy/modules/services/inn.te | 129 --- policy/modules/services/ircd.fc | 7 - policy/modules/services/ircd.if | 1 - policy/modules/services/ircd.te | 93 -- policy/modules/services/irqbalance.fc | 2 - policy/modules/services/irqbalance.if | 1 - policy/modules/services/irqbalance.te | 56 - policy/modules/services/jabber.fc | 6 - policy/modules/services/jabber.if | 56 - policy/modules/services/jabber.te | 94 -- policy/modules/services/kerberos.fc | 33 - policy/modules/services/kerberos.if | 380 ------- policy/modules/services/kerberos.te | 325 ------ policy/modules/services/kerneloops.fc | 3 - policy/modules/services/kerneloops.if | 115 -- policy/modules/services/kerneloops.te | 54 - policy/modules/services/ksmtuned.fc | 5 - policy/modules/services/ksmtuned.if | 74 -- policy/modules/services/ksmtuned.te | 39 - policy/modules/services/ktalk.fc | 7 - policy/modules/services/ktalk.if | 1 - policy/modules/services/ktalk.te | 79 -- policy/modules/services/ldap.fc | 17 - policy/modules/services/ldap.if | 120 -- policy/modules/services/ldap.te | 132 --- policy/modules/services/likewise.fc | 54 - policy/modules/services/likewise.if | 105 -- policy/modules/services/likewise.te | 238 ---- policy/modules/services/lircd.fc | 10 - policy/modules/services/lircd.if | 96 -- policy/modules/services/lircd.te | 64 -- policy/modules/services/lpd.fc | 37 - policy/modules/services/lpd.if | 214 ---- policy/modules/services/lpd.te | 330 ------ policy/modules/services/mailman.fc | 34 - policy/modules/services/mailman.if | 352 ------ policy/modules/services/mailman.te | 128 --- policy/modules/services/mediawiki.fc | 8 - policy/modules/services/mediawiki.if | 1 - policy/modules/services/mediawiki.te | 17 - policy/modules/services/memcached.fc | 5 - policy/modules/services/memcached.if | 73 -- policy/modules/services/memcached.te | 58 - policy/modules/services/milter.fc | 13 - policy/modules/services/milter.if | 102 -- policy/modules/services/milter.te | 96 -- policy/modules/services/modemmanager.fc | 1 - policy/modules/services/modemmanager.if | 40 - policy/modules/services/modemmanager.te | 41 - policy/modules/services/mojomojo.fc | 5 - policy/modules/services/mojomojo.if | 40 - policy/modules/services/mojomojo.te | 36 - policy/modules/services/monop.fc | 4 - policy/modules/services/monop.if | 1 - policy/modules/services/monop.te | 85 -- policy/modules/services/mpd.fc | 8 - policy/modules/services/mpd.if | 267 ----- policy/modules/services/mpd.te | 126 --- policy/modules/services/mta.fc | 30 - policy/modules/services/mta.if | 901 --------------- policy/modules/services/mta.te | 294 ----- policy/modules/services/munin.fc | 69 -- policy/modules/services/munin.if | 203 ---- policy/modules/services/munin.te | 315 ------ policy/modules/services/mysql.fc | 30 - policy/modules/services/mysql.if | 355 ------ policy/modules/services/mysql.te | 239 ---- policy/modules/services/nagios.fc | 88 -- policy/modules/services/nagios.if | 229 ---- policy/modules/services/nagios.te | 392 ------- policy/modules/services/nessus.fc | 10 - policy/modules/services/nessus.if | 15 - policy/modules/services/nessus.te | 105 -- policy/modules/services/networkmanager.fc | 26 - policy/modules/services/networkmanager.if | 193 ---- policy/modules/services/networkmanager.te | 289 ----- policy/modules/services/nis.fc | 21 - policy/modules/services/nis.if | 396 ------- policy/modules/services/nis.te | 347 ------ policy/modules/services/nscd.fc | 13 - policy/modules/services/nscd.if | 291 ----- policy/modules/services/nscd.te | 129 --- policy/modules/services/nsd.fc | 14 - policy/modules/services/nsd.if | 29 - policy/modules/services/nsd.te | 180 --- policy/modules/services/nslcd.fc | 4 - policy/modules/services/nslcd.if | 114 -- policy/modules/services/nslcd.te | 45 - policy/modules/services/ntop.fc | 6 - policy/modules/services/ntop.if | 1 - policy/modules/services/ntop.te | 114 -- policy/modules/services/ntp.fc | 22 - policy/modules/services/ntp.if | 165 --- policy/modules/services/ntp.te | 156 --- policy/modules/services/nut.fc | 12 - policy/modules/services/nut.if | 1 - policy/modules/services/nut.te | 171 --- policy/modules/services/nx.fc | 12 - policy/modules/services/nx.if | 85 -- policy/modules/services/nx.te | 98 -- policy/modules/services/oav.fc | 9 - policy/modules/services/oav.if | 46 - policy/modules/services/oav.te | 146 --- policy/modules/services/oddjob.fc | 5 - policy/modules/services/oddjob.if | 111 -- policy/modules/services/oddjob.te | 106 -- policy/modules/services/oident.fc | 8 - policy/modules/services/oident.if | 68 -- policy/modules/services/oident.te | 75 -- policy/modules/services/openca.fc | 9 - policy/modules/services/openca.if | 76 -- policy/modules/services/openca.te | 82 -- policy/modules/services/openct.fc | 10 - policy/modules/services/openct.if | 95 -- policy/modules/services/openct.te | 61 -- policy/modules/services/openvpn.fc | 17 - policy/modules/services/openvpn.if | 163 --- policy/modules/services/openvpn.te | 140 --- policy/modules/services/pads.fc | 10 - policy/modules/services/pads.if | 44 - policy/modules/services/pads.te | 63 -- policy/modules/services/pcscd.fc | 6 - policy/modules/services/pcscd.if | 95 -- policy/modules/services/pcscd.te | 79 -- policy/modules/services/pegasus.fc | 12 - policy/modules/services/pegasus.if | 1 - policy/modules/services/pegasus.te | 138 --- policy/modules/services/perdition.fc | 3 - policy/modules/services/perdition.if | 15 - policy/modules/services/perdition.te | 75 -- policy/modules/services/pingd.fc | 6 - policy/modules/services/pingd.if | 97 -- policy/modules/services/pingd.te | 47 - policy/modules/services/plymouthd.fc | 7 - policy/modules/services/plymouthd.if | 260 ----- policy/modules/services/plymouthd.te | 99 -- policy/modules/services/policykit.fc | 15 - policy/modules/services/policykit.if | 209 ---- policy/modules/services/policykit.te | 210 ---- policy/modules/services/portmap.fc | 12 - policy/modules/services/portmap.if | 89 -- policy/modules/services/portmap.te | 150 --- policy/modules/services/portreserve.fc | 7 - policy/modules/services/portreserve.if | 120 -- policy/modules/services/portreserve.te | 54 - policy/modules/services/portslave.fc | 4 - policy/modules/services/portslave.if | 19 - policy/modules/services/portslave.te | 125 --- policy/modules/services/postfix.fc | 53 - policy/modules/services/postfix.if | 623 ----------- policy/modules/services/postfix.te | 632 ----------- policy/modules/services/postfixpolicyd.fc | 6 - policy/modules/services/postfixpolicyd.if | 40 - policy/modules/services/postfixpolicyd.te | 53 - policy/modules/services/postgresql.te | 4 +- policy/modules/services/postgrey.fc | 12 - policy/modules/services/postgrey.if | 81 -- policy/modules/services/postgrey.te | 107 -- policy/modules/services/ppp.fc | 38 - policy/modules/services/ppp.if | 395 ------- policy/modules/services/ppp.te | 326 ------ policy/modules/services/prelude.fc | 18 - policy/modules/services/prelude.if | 144 --- policy/modules/services/prelude.te | 308 ------ policy/modules/services/privoxy.fc | 6 - policy/modules/services/privoxy.if | 42 - policy/modules/services/privoxy.te | 103 -- policy/modules/services/procmail.fc | 5 - policy/modules/services/procmail.if | 79 -- policy/modules/services/procmail.te | 150 --- policy/modules/services/psad.fc | 8 - policy/modules/services/psad.if | 262 ----- policy/modules/services/psad.te | 106 -- policy/modules/services/publicfile.fc | 7 - policy/modules/services/publicfile.if | 1 - policy/modules/services/publicfile.te | 34 - policy/modules/services/puppet.fc | 11 - policy/modules/services/puppet.if | 31 - policy/modules/services/puppet.te | 235 ---- policy/modules/services/pxe.fc | 6 - policy/modules/services/pxe.if | 1 - policy/modules/services/pxe.te | 63 -- policy/modules/services/pyicqt.fc | 7 - policy/modules/services/pyicqt.if | 1 - policy/modules/services/pyicqt.te | 59 - policy/modules/services/pyzor.fc | 9 - policy/modules/services/pyzor.if | 90 -- policy/modules/services/pyzor.te | 148 --- policy/modules/services/qmail.fc | 47 - policy/modules/services/qmail.if | 151 --- policy/modules/services/qmail.te | 321 ------ policy/modules/services/qpid.fc | 8 - policy/modules/services/qpid.if | 186 ---- policy/modules/services/qpid.te | 63 -- policy/modules/services/radius.fc | 23 - policy/modules/services/radius.if | 62 -- policy/modules/services/radius.te | 143 --- policy/modules/services/radvd.fc | 7 - policy/modules/services/radvd.if | 39 - policy/modules/services/radvd.te | 82 -- policy/modules/services/razor.fc | 8 - policy/modules/services/razor.if | 159 --- policy/modules/services/razor.te | 122 --- policy/modules/services/rdisc.fc | 2 - policy/modules/services/rdisc.if | 20 - policy/modules/services/rdisc.te | 58 - policy/modules/services/remotelogin.fc | 2 - policy/modules/services/remotelogin.if | 37 - policy/modules/services/remotelogin.te | 123 --- policy/modules/services/resmgr.fc | 7 - policy/modules/services/resmgr.if | 22 - policy/modules/services/resmgr.te | 66 -- policy/modules/services/rgmanager.fc | 7 - policy/modules/services/rgmanager.if | 77 -- policy/modules/services/rgmanager.te | 202 ---- policy/modules/services/rhcs.fc | 22 - policy/modules/services/rhcs.if | 355 ------ policy/modules/services/rhcs.te | 240 ---- policy/modules/services/rhgb.fc | 4 - policy/modules/services/rhgb.if | 198 ---- policy/modules/services/rhgb.te | 142 --- policy/modules/services/ricci.fc | 16 - policy/modules/services/ricci.if | 167 --- policy/modules/services/ricci.te | 488 --------- policy/modules/services/rlogin.fc | 7 - policy/modules/services/rlogin.if | 47 - policy/modules/services/rlogin.te | 116 -- policy/modules/services/roundup.fc | 11 - policy/modules/services/roundup.if | 39 - policy/modules/services/roundup.te | 96 -- policy/modules/services/rpc.fc | 31 - policy/modules/services/rpc.if | 435 -------- policy/modules/services/rpc.te | 237 ---- policy/modules/services/rpcbind.fc | 9 - policy/modules/services/rpcbind.if | 148 --- policy/modules/services/rpcbind.te | 69 -- policy/modules/services/rshd.fc | 5 - policy/modules/services/rshd.if | 21 - policy/modules/services/rshd.te | 96 -- policy/modules/services/rsync.fc | 7 - policy/modules/services/rsync.if | 143 --- policy/modules/services/rsync.te | 133 --- policy/modules/services/rtkit.fc | 1 - policy/modules/services/rtkit.if | 60 - policy/modules/services/rtkit.te | 35 - policy/modules/services/rwho.fc | 7 - policy/modules/services/rwho.if | 154 --- policy/modules/services/rwho.te | 60 - policy/modules/services/samba.fc | 53 - policy/modules/services/samba.if | 730 ------------ policy/modules/services/samba.te | 939 ---------------- policy/modules/services/samhain.fc | 13 - policy/modules/services/samhain.if | 292 ----- policy/modules/services/samhain.te | 76 -- policy/modules/services/sasl.fc | 12 - policy/modules/services/sasl.if | 58 - policy/modules/services/sasl.te | 110 -- policy/modules/services/sendmail.fc | 6 - policy/modules/services/sendmail.if | 297 ----- policy/modules/services/sendmail.te | 187 ---- policy/modules/services/setroubleshoot.fc | 9 - policy/modules/services/setroubleshoot.if | 135 --- policy/modules/services/setroubleshoot.te | 177 --- policy/modules/services/slrnpull.fc | 10 - policy/modules/services/slrnpull.if | 42 - policy/modules/services/slrnpull.te | 70 -- policy/modules/services/smartmon.fc | 12 - policy/modules/services/smartmon.if | 57 - policy/modules/services/smartmon.te | 121 -- policy/modules/services/smokeping.fc | 9 - policy/modules/services/smokeping.if | 167 --- policy/modules/services/smokeping.te | 77 -- policy/modules/services/snmp.fc | 24 - policy/modules/services/snmp.if | 147 --- policy/modules/services/snmp.te | 172 --- policy/modules/services/snort.fc | 9 - policy/modules/services/snort.if | 60 - policy/modules/services/snort.te | 117 -- policy/modules/services/soundserver.fc | 13 - policy/modules/services/soundserver.if | 57 - policy/modules/services/soundserver.te | 114 -- policy/modules/services/spamassassin.fc | 15 - policy/modules/services/spamassassin.if | 227 ---- policy/modules/services/spamassassin.te | 453 -------- policy/modules/services/speedtouch.fc | 2 - policy/modules/services/speedtouch.if | 1 - policy/modules/services/speedtouch.te | 61 -- policy/modules/services/squid.fc | 14 - policy/modules/services/squid.if | 233 ---- policy/modules/services/squid.te | 208 ---- policy/modules/services/ssh.if | 4 +- policy/modules/services/sssd.fc | 11 - policy/modules/services/sssd.if | 255 ----- policy/modules/services/sssd.te | 90 -- policy/modules/services/stunnel.fc | 7 - policy/modules/services/stunnel.if | 25 - policy/modules/services/stunnel.te | 123 --- policy/modules/services/sysstat.fc | 8 - policy/modules/services/sysstat.if | 21 - policy/modules/services/sysstat.te | 70 -- policy/modules/services/tcpd.fc | 2 - policy/modules/services/tcpd.if | 45 - policy/modules/services/tcpd.te | 50 - policy/modules/services/tcsd.fc | 3 - policy/modules/services/tcsd.if | 150 --- policy/modules/services/tcsd.te | 50 - policy/modules/services/telnet.fc | 4 - policy/modules/services/telnet.if | 1 - policy/modules/services/telnet.te | 100 -- policy/modules/services/tftp.fc | 8 - policy/modules/services/tftp.if | 67 -- policy/modules/services/tftp.te | 106 -- policy/modules/services/tgtd.fc | 3 - policy/modules/services/tgtd.if | 46 - policy/modules/services/tgtd.te | 66 -- policy/modules/services/timidity.fc | 2 - policy/modules/services/timidity.if | 1 - policy/modules/services/timidity.te | 85 -- policy/modules/services/tor.fc | 12 - policy/modules/services/tor.if | 64 -- policy/modules/services/tor.te | 120 -- policy/modules/services/transproxy.fc | 3 - policy/modules/services/transproxy.if | 1 - policy/modules/services/transproxy.te | 65 -- policy/modules/services/tuned.fc | 8 - policy/modules/services/tuned.if | 129 --- policy/modules/services/tuned.te | 64 -- policy/modules/services/ucspitcp.fc | 3 - policy/modules/services/ucspitcp.if | 38 - policy/modules/services/ucspitcp.te | 93 -- policy/modules/services/ulogd.fc | 7 - policy/modules/services/ulogd.if | 142 --- policy/modules/services/ulogd.te | 67 -- policy/modules/services/uptime.fc | 6 - policy/modules/services/uptime.if | 1 - policy/modules/services/uptime.te | 73 -- policy/modules/services/usbmuxd.fc | 3 - policy/modules/services/usbmuxd.if | 39 - policy/modules/services/usbmuxd.te | 42 - policy/modules/services/uucp.fc | 11 - policy/modules/services/uucp.if | 120 -- policy/modules/services/uucp.te | 149 --- policy/modules/services/uwimap.fc | 2 - policy/modules/services/uwimap.if | 20 - policy/modules/services/uwimap.te | 95 -- policy/modules/services/varnishd.fc | 18 - policy/modules/services/varnishd.if | 216 ---- policy/modules/services/varnishd.te | 118 -- policy/modules/services/vhostmd.fc | 5 - policy/modules/services/vhostmd.if | 224 ---- policy/modules/services/vhostmd.te | 76 -- policy/modules/services/virt.fc | 29 - policy/modules/services/virt.if | 518 --------- policy/modules/services/virt.te | 464 -------- policy/modules/services/vnstatd.fc | 7 - policy/modules/services/vnstatd.if | 143 --- policy/modules/services/vnstatd.te | 80 -- policy/modules/services/w3c.fc | 4 - policy/modules/services/w3c.if | 1 - policy/modules/services/w3c.te | 24 - policy/modules/services/watchdog.fc | 5 - policy/modules/services/watchdog.if | 1 - policy/modules/services/watchdog.te | 105 -- policy/modules/services/xfs.fc | 8 - policy/modules/services/xfs.if | 59 - policy/modules/services/xfs.te | 87 -- policy/modules/services/xprint.fc | 1 - policy/modules/services/xprint.if | 1 - policy/modules/services/xprint.te | 82 -- policy/modules/services/zabbix.fc | 9 - policy/modules/services/zabbix.if | 158 --- policy/modules/services/zabbix.te | 137 --- policy/modules/services/zarafa.fc | 26 - policy/modules/services/zarafa.if | 120 -- policy/modules/services/zarafa.te | 161 --- policy/modules/services/zebra.fc | 22 - policy/modules/services/zebra.if | 88 -- policy/modules/services/zebra.te | 140 --- policy/modules/services/zosremote.fc | 1 - policy/modules/services/zosremote.if | 45 - policy/modules/services/zosremote.te | 28 - policy/modules/system/daemontools.fc | 53 - policy/modules/system/daemontools.if | 212 ---- policy/modules/system/daemontools.te | 118 -- policy/modules/system/iscsi.fc | 7 - policy/modules/system/iscsi.if | 76 -- policy/modules/system/iscsi.te | 97 -- policy/modules/system/pcmcia.fc | 10 - policy/modules/system/pcmcia.if | 156 --- policy/modules/system/pcmcia.te | 137 --- policy/modules/system/raid.fc | 6 - policy/modules/system/raid.if | 75 -- policy/modules/system/raid.te | 100 -- policy/modules/system/xen.fc | 43 - policy/modules/system/xen.if | 238 ---- policy/modules/system/xen.te | 566 ---------- 889 files changed, 10 insertions(+), 82223 deletions(-) delete mode 100644 policy/modules/admin/acct.fc delete mode 100644 policy/modules/admin/acct.if delete mode 100644 policy/modules/admin/acct.te delete mode 100644 policy/modules/admin/alsa.fc delete mode 100644 policy/modules/admin/alsa.if delete mode 100644 policy/modules/admin/alsa.te delete mode 100644 policy/modules/admin/amanda.fc delete mode 100644 policy/modules/admin/amanda.if delete mode 100644 policy/modules/admin/amanda.te delete mode 100644 policy/modules/admin/amtu.fc delete mode 100644 policy/modules/admin/amtu.if delete mode 100644 policy/modules/admin/amtu.te delete mode 100644 policy/modules/admin/anaconda.fc delete mode 100644 policy/modules/admin/anaconda.if delete mode 100644 policy/modules/admin/anaconda.te delete mode 100644 policy/modules/admin/apt.fc delete mode 100644 policy/modules/admin/apt.if delete mode 100644 policy/modules/admin/apt.te delete mode 100644 policy/modules/admin/backup.fc delete mode 100644 policy/modules/admin/backup.if delete mode 100644 policy/modules/admin/backup.te delete mode 100644 policy/modules/admin/brctl.fc delete mode 100644 policy/modules/admin/brctl.if delete mode 100644 policy/modules/admin/brctl.te delete mode 100644 policy/modules/admin/certwatch.fc delete mode 100644 policy/modules/admin/certwatch.if delete mode 100644 policy/modules/admin/certwatch.te delete mode 100644 policy/modules/admin/ddcprobe.fc delete mode 100644 policy/modules/admin/ddcprobe.if delete mode 100644 policy/modules/admin/ddcprobe.te delete mode 100644 policy/modules/admin/dmidecode.fc delete mode 100644 policy/modules/admin/dmidecode.if delete mode 100644 policy/modules/admin/dmidecode.te delete mode 100644 policy/modules/admin/dpkg.fc delete mode 100644 policy/modules/admin/dpkg.if delete mode 100644 policy/modules/admin/dpkg.te delete mode 100644 policy/modules/admin/firstboot.fc delete mode 100644 policy/modules/admin/firstboot.if delete mode 100644 policy/modules/admin/firstboot.te delete mode 100644 policy/modules/admin/kdump.fc delete mode 100644 policy/modules/admin/kdump.if delete mode 100644 policy/modules/admin/kdump.te delete mode 100644 policy/modules/admin/kismet.fc delete mode 100644 policy/modules/admin/kismet.if delete mode 100644 policy/modules/admin/kismet.te delete mode 100644 policy/modules/admin/kudzu.fc delete mode 100644 policy/modules/admin/kudzu.if delete mode 100644 policy/modules/admin/kudzu.te delete mode 100644 policy/modules/admin/logrotate.fc delete mode 100644 policy/modules/admin/logrotate.if delete mode 100644 policy/modules/admin/logrotate.te delete mode 100644 policy/modules/admin/logwatch.fc delete mode 100644 policy/modules/admin/logwatch.if delete mode 100644 policy/modules/admin/logwatch.te delete mode 100644 policy/modules/admin/mcelog.fc delete mode 100644 policy/modules/admin/mcelog.if delete mode 100644 policy/modules/admin/mcelog.te delete mode 100644 policy/modules/admin/mrtg.fc delete mode 100644 policy/modules/admin/mrtg.if delete mode 100644 policy/modules/admin/mrtg.te delete mode 100644 policy/modules/admin/ncftool.fc delete mode 100644 policy/modules/admin/ncftool.if delete mode 100644 policy/modules/admin/ncftool.te delete mode 100644 policy/modules/admin/passenger.fc delete mode 100644 policy/modules/admin/passenger.if delete mode 100644 policy/modules/admin/passenger.te delete mode 100644 policy/modules/admin/portage.fc delete mode 100644 policy/modules/admin/portage.if delete mode 100644 policy/modules/admin/portage.te delete mode 100644 policy/modules/admin/prelink.fc delete mode 100644 policy/modules/admin/prelink.if delete mode 100644 policy/modules/admin/prelink.te delete mode 100644 policy/modules/admin/quota.fc delete mode 100644 policy/modules/admin/quota.if delete mode 100644 policy/modules/admin/quota.te delete mode 100644 policy/modules/admin/readahead.fc delete mode 100644 policy/modules/admin/readahead.if delete mode 100644 policy/modules/admin/readahead.te delete mode 100644 policy/modules/admin/rpm.fc delete mode 100644 policy/modules/admin/rpm.if delete mode 100644 policy/modules/admin/rpm.te delete mode 100644 policy/modules/admin/sectoolm.fc delete mode 100644 policy/modules/admin/sectoolm.if delete mode 100644 policy/modules/admin/sectoolm.te delete mode 100644 policy/modules/admin/shorewall.fc delete mode 100644 policy/modules/admin/shorewall.if delete mode 100644 policy/modules/admin/shorewall.te delete mode 100644 policy/modules/admin/shutdown.fc delete mode 100644 policy/modules/admin/shutdown.if delete mode 100644 policy/modules/admin/shutdown.te delete mode 100644 policy/modules/admin/smoltclient.fc delete mode 100644 policy/modules/admin/smoltclient.if delete mode 100644 policy/modules/admin/smoltclient.te delete mode 100644 policy/modules/admin/sosreport.fc delete mode 100644 policy/modules/admin/sosreport.if delete mode 100644 policy/modules/admin/sosreport.te delete mode 100644 policy/modules/admin/sxid.fc delete mode 100644 policy/modules/admin/sxid.if delete mode 100644 policy/modules/admin/sxid.te delete mode 100644 policy/modules/admin/tmpreaper.fc delete mode 100644 policy/modules/admin/tmpreaper.if delete mode 100644 policy/modules/admin/tmpreaper.te delete mode 100644 policy/modules/admin/tripwire.fc delete mode 100644 policy/modules/admin/tripwire.if delete mode 100644 policy/modules/admin/tripwire.te delete mode 100644 policy/modules/admin/tzdata.fc delete mode 100644 policy/modules/admin/tzdata.if delete mode 100644 policy/modules/admin/tzdata.te delete mode 100644 policy/modules/admin/updfstab.fc delete mode 100644 policy/modules/admin/updfstab.if delete mode 100644 policy/modules/admin/updfstab.te delete mode 100644 policy/modules/admin/usbmodules.fc delete mode 100644 policy/modules/admin/usbmodules.if delete mode 100644 policy/modules/admin/usbmodules.te delete mode 100644 policy/modules/admin/vbetool.fc delete mode 100644 policy/modules/admin/vbetool.if delete mode 100644 policy/modules/admin/vbetool.te delete mode 100644 policy/modules/admin/vpn.fc delete mode 100644 policy/modules/admin/vpn.if delete mode 100644 policy/modules/admin/vpn.te delete mode 100644 policy/modules/apps/ada.fc delete mode 100644 policy/modules/apps/ada.if delete mode 100644 policy/modules/apps/ada.te delete mode 100644 policy/modules/apps/authbind.fc delete mode 100644 policy/modules/apps/authbind.if delete mode 100644 policy/modules/apps/authbind.te delete mode 100644 policy/modules/apps/awstats.fc delete mode 100644 policy/modules/apps/awstats.if delete mode 100644 policy/modules/apps/awstats.te delete mode 100644 policy/modules/apps/calamaris.fc delete mode 100644 policy/modules/apps/calamaris.if delete mode 100644 policy/modules/apps/calamaris.te delete mode 100644 policy/modules/apps/cdrecord.fc delete mode 100644 policy/modules/apps/cdrecord.if delete mode 100644 policy/modules/apps/cdrecord.te delete mode 100644 policy/modules/apps/cpufreqselector.fc delete mode 100644 policy/modules/apps/cpufreqselector.if delete mode 100644 policy/modules/apps/cpufreqselector.te delete mode 100644 policy/modules/apps/evolution.fc delete mode 100644 policy/modules/apps/evolution.if delete mode 100644 policy/modules/apps/evolution.te delete mode 100644 policy/modules/apps/games.fc delete mode 100644 policy/modules/apps/games.if delete mode 100644 policy/modules/apps/games.te delete mode 100644 policy/modules/apps/gift.fc delete mode 100644 policy/modules/apps/gift.if delete mode 100644 policy/modules/apps/gift.te delete mode 100644 policy/modules/apps/gitosis.fc delete mode 100644 policy/modules/apps/gitosis.if delete mode 100644 policy/modules/apps/gitosis.te delete mode 100644 policy/modules/apps/gnome.fc delete mode 100644 policy/modules/apps/gnome.if delete mode 100644 policy/modules/apps/gnome.te delete mode 100644 policy/modules/apps/gpg.fc delete mode 100644 policy/modules/apps/gpg.if delete mode 100644 policy/modules/apps/gpg.te delete mode 100644 policy/modules/apps/irc.fc delete mode 100644 policy/modules/apps/irc.if delete mode 100644 policy/modules/apps/irc.te delete mode 100644 policy/modules/apps/java.fc delete mode 100644 policy/modules/apps/java.if delete mode 100644 policy/modules/apps/java.te delete mode 100644 policy/modules/apps/kdumpgui.fc delete mode 100644 policy/modules/apps/kdumpgui.if delete mode 100644 policy/modules/apps/kdumpgui.te delete mode 100644 policy/modules/apps/livecd.fc delete mode 100644 policy/modules/apps/livecd.if delete mode 100644 policy/modules/apps/livecd.te delete mode 100644 policy/modules/apps/loadkeys.fc delete mode 100644 policy/modules/apps/loadkeys.if delete mode 100644 policy/modules/apps/loadkeys.te delete mode 100644 policy/modules/apps/lockdev.fc delete mode 100644 policy/modules/apps/lockdev.if delete mode 100644 policy/modules/apps/lockdev.te delete mode 100644 policy/modules/apps/mono.fc delete mode 100644 policy/modules/apps/mono.if delete mode 100644 policy/modules/apps/mono.te delete mode 100644 policy/modules/apps/mozilla.fc delete mode 100644 policy/modules/apps/mozilla.if delete mode 100644 policy/modules/apps/mozilla.te delete mode 100644 policy/modules/apps/mplayer.fc delete mode 100644 policy/modules/apps/mplayer.if delete mode 100644 policy/modules/apps/mplayer.te delete mode 100644 policy/modules/apps/podsleuth.fc delete mode 100644 policy/modules/apps/podsleuth.if delete mode 100644 policy/modules/apps/podsleuth.te delete mode 100644 policy/modules/apps/ptchown.fc delete mode 100644 policy/modules/apps/ptchown.if delete mode 100644 policy/modules/apps/ptchown.te delete mode 100644 policy/modules/apps/pulseaudio.fc delete mode 100644 policy/modules/apps/pulseaudio.if delete mode 100644 policy/modules/apps/pulseaudio.te delete mode 100644 policy/modules/apps/qemu.fc delete mode 100644 policy/modules/apps/qemu.if delete mode 100644 policy/modules/apps/qemu.te delete mode 100644 policy/modules/apps/rssh.fc delete mode 100644 policy/modules/apps/rssh.if delete mode 100644 policy/modules/apps/rssh.te delete mode 100644 policy/modules/apps/sambagui.fc delete mode 100644 policy/modules/apps/sambagui.if delete mode 100644 policy/modules/apps/sambagui.te delete mode 100644 policy/modules/apps/screen.fc delete mode 100644 policy/modules/apps/screen.if delete mode 100644 policy/modules/apps/screen.te delete mode 100644 policy/modules/apps/slocate.fc delete mode 100644 policy/modules/apps/slocate.if delete mode 100644 policy/modules/apps/slocate.te delete mode 100644 policy/modules/apps/telepathy.fc delete mode 100644 policy/modules/apps/telepathy.if delete mode 100644 policy/modules/apps/telepathy.te delete mode 100644 policy/modules/apps/thunderbird.fc delete mode 100644 policy/modules/apps/thunderbird.if delete mode 100644 policy/modules/apps/thunderbird.te delete mode 100644 policy/modules/apps/tvtime.fc delete mode 100644 policy/modules/apps/tvtime.if delete mode 100644 policy/modules/apps/tvtime.te delete mode 100644 policy/modules/apps/uml.fc delete mode 100644 policy/modules/apps/uml.if delete mode 100644 policy/modules/apps/uml.te delete mode 100644 policy/modules/apps/userhelper.fc delete mode 100644 policy/modules/apps/userhelper.if delete mode 100644 policy/modules/apps/userhelper.te delete mode 100644 policy/modules/apps/usernetctl.fc delete mode 100644 policy/modules/apps/usernetctl.if delete mode 100644 policy/modules/apps/usernetctl.te delete mode 100644 policy/modules/apps/vlock.fc delete mode 100644 policy/modules/apps/vlock.if delete mode 100644 policy/modules/apps/vlock.te delete mode 100644 policy/modules/apps/vmware.fc delete mode 100644 policy/modules/apps/vmware.if delete mode 100644 policy/modules/apps/vmware.te delete mode 100644 policy/modules/apps/webalizer.fc delete mode 100644 policy/modules/apps/webalizer.if delete mode 100644 policy/modules/apps/webalizer.te delete mode 100644 policy/modules/apps/wine.fc delete mode 100644 policy/modules/apps/wine.if delete mode 100644 policy/modules/apps/wine.te delete mode 100644 policy/modules/apps/wireshark.fc delete mode 100644 policy/modules/apps/wireshark.if delete mode 100644 policy/modules/apps/wireshark.te delete mode 100644 policy/modules/apps/wm.fc delete mode 100644 policy/modules/apps/wm.if delete mode 100644 policy/modules/apps/wm.te delete mode 100644 policy/modules/apps/xscreensaver.fc delete mode 100644 policy/modules/apps/xscreensaver.if delete mode 100644 policy/modules/apps/xscreensaver.te delete mode 100644 policy/modules/apps/yam.fc delete mode 100644 policy/modules/apps/yam.if delete mode 100644 policy/modules/apps/yam.te delete mode 100644 policy/modules/roles/dbadm.fc delete mode 100644 policy/modules/roles/dbadm.if delete mode 100644 policy/modules/roles/dbadm.te delete mode 100644 policy/modules/roles/guest.fc delete mode 100644 policy/modules/roles/guest.if delete mode 100644 policy/modules/roles/guest.te delete mode 100644 policy/modules/roles/webadm.fc delete mode 100644 policy/modules/roles/webadm.if delete mode 100644 policy/modules/roles/webadm.te delete mode 100644 policy/modules/roles/xguest.fc delete mode 100644 policy/modules/roles/xguest.if delete mode 100644 policy/modules/roles/xguest.te delete mode 100644 policy/modules/services/abrt.fc delete mode 100644 policy/modules/services/abrt.if delete mode 100644 policy/modules/services/abrt.te delete mode 100644 policy/modules/services/accountsd.fc delete mode 100644 policy/modules/services/accountsd.if delete mode 100644 policy/modules/services/accountsd.te delete mode 100644 policy/modules/services/afs.fc delete mode 100644 policy/modules/services/afs.if delete mode 100644 policy/modules/services/afs.te delete mode 100644 policy/modules/services/aiccu.fc delete mode 100644 policy/modules/services/aiccu.if delete mode 100644 policy/modules/services/aiccu.te delete mode 100644 policy/modules/services/aide.fc delete mode 100644 policy/modules/services/aide.if delete mode 100644 policy/modules/services/aide.te delete mode 100644 policy/modules/services/aisexec.fc delete mode 100644 policy/modules/services/aisexec.if delete mode 100644 policy/modules/services/aisexec.te delete mode 100644 policy/modules/services/amavis.fc delete mode 100644 policy/modules/services/amavis.if delete mode 100644 policy/modules/services/amavis.te delete mode 100644 policy/modules/services/apache.fc delete mode 100644 policy/modules/services/apache.if delete mode 100644 policy/modules/services/apache.te delete mode 100644 policy/modules/services/apcupsd.fc delete mode 100644 policy/modules/services/apcupsd.if delete mode 100644 policy/modules/services/apcupsd.te delete mode 100644 policy/modules/services/apm.fc delete mode 100644 policy/modules/services/apm.if delete mode 100644 policy/modules/services/apm.te delete mode 100644 policy/modules/services/arpwatch.fc delete mode 100644 policy/modules/services/arpwatch.if delete mode 100644 policy/modules/services/arpwatch.te delete mode 100644 policy/modules/services/asterisk.fc delete mode 100644 policy/modules/services/asterisk.if delete mode 100644 policy/modules/services/asterisk.te delete mode 100644 policy/modules/services/automount.fc delete mode 100644 policy/modules/services/automount.if delete mode 100644 policy/modules/services/automount.te delete mode 100644 policy/modules/services/avahi.fc delete mode 100644 policy/modules/services/avahi.if delete mode 100644 policy/modules/services/avahi.te delete mode 100644 policy/modules/services/bind.fc delete mode 100644 policy/modules/services/bind.if delete mode 100644 policy/modules/services/bind.te delete mode 100644 policy/modules/services/bitlbee.fc delete mode 100644 policy/modules/services/bitlbee.if delete mode 100644 policy/modules/services/bitlbee.te delete mode 100644 policy/modules/services/bluetooth.fc delete mode 100644 policy/modules/services/bluetooth.if delete mode 100644 policy/modules/services/bluetooth.te delete mode 100644 policy/modules/services/bugzilla.fc delete mode 100644 policy/modules/services/bugzilla.if delete mode 100644 policy/modules/services/bugzilla.te delete mode 100644 policy/modules/services/canna.fc delete mode 100644 policy/modules/services/canna.if delete mode 100644 policy/modules/services/canna.te delete mode 100644 policy/modules/services/ccs.fc delete mode 100644 policy/modules/services/ccs.if delete mode 100644 policy/modules/services/ccs.te delete mode 100644 policy/modules/services/certmaster.fc delete mode 100644 policy/modules/services/certmaster.if delete mode 100644 policy/modules/services/certmaster.te delete mode 100644 policy/modules/services/certmonger.fc delete mode 100644 policy/modules/services/certmonger.if delete mode 100644 policy/modules/services/certmonger.te delete mode 100644 policy/modules/services/cgroup.fc delete mode 100644 policy/modules/services/cgroup.if delete mode 100644 policy/modules/services/cgroup.te delete mode 100644 policy/modules/services/chronyd.fc delete mode 100644 policy/modules/services/chronyd.if delete mode 100644 policy/modules/services/chronyd.te delete mode 100644 policy/modules/services/cipe.fc delete mode 100644 policy/modules/services/cipe.if delete mode 100644 policy/modules/services/cipe.te delete mode 100644 policy/modules/services/clamav.fc delete mode 100644 policy/modules/services/clamav.if delete mode 100644 policy/modules/services/clamav.te delete mode 100644 policy/modules/services/clockspeed.fc delete mode 100644 policy/modules/services/clockspeed.if delete mode 100644 policy/modules/services/clockspeed.te delete mode 100644 policy/modules/services/clogd.fc delete mode 100644 policy/modules/services/clogd.if delete mode 100644 policy/modules/services/clogd.te delete mode 100644 policy/modules/services/cmirrord.fc delete mode 100644 policy/modules/services/cmirrord.if delete mode 100644 policy/modules/services/cmirrord.te delete mode 100644 policy/modules/services/cobbler.fc delete mode 100644 policy/modules/services/cobbler.if delete mode 100644 policy/modules/services/cobbler.te delete mode 100644 policy/modules/services/colord.fc delete mode 100644 policy/modules/services/colord.if delete mode 100644 policy/modules/services/colord.te delete mode 100644 policy/modules/services/comsat.fc delete mode 100644 policy/modules/services/comsat.if delete mode 100644 policy/modules/services/comsat.te delete mode 100644 policy/modules/services/consolekit.fc delete mode 100644 policy/modules/services/consolekit.if delete mode 100644 policy/modules/services/consolekit.te delete mode 100644 policy/modules/services/corosync.fc delete mode 100644 policy/modules/services/corosync.if delete mode 100644 policy/modules/services/corosync.te delete mode 100644 policy/modules/services/courier.fc delete mode 100644 policy/modules/services/courier.if delete mode 100644 policy/modules/services/courier.te delete mode 100644 policy/modules/services/cpucontrol.fc delete mode 100644 policy/modules/services/cpucontrol.if delete mode 100644 policy/modules/services/cpucontrol.te delete mode 100644 policy/modules/services/cron.fc delete mode 100644 policy/modules/services/cron.if delete mode 100644 policy/modules/services/cron.te delete mode 100644 policy/modules/services/cups.fc delete mode 100644 policy/modules/services/cups.if delete mode 100644 policy/modules/services/cups.te delete mode 100644 policy/modules/services/cvs.fc delete mode 100644 policy/modules/services/cvs.if delete mode 100644 policy/modules/services/cvs.te delete mode 100644 policy/modules/services/cyphesis.fc delete mode 100644 policy/modules/services/cyphesis.if delete mode 100644 policy/modules/services/cyphesis.te delete mode 100644 policy/modules/services/cyrus.fc delete mode 100644 policy/modules/services/cyrus.if delete mode 100644 policy/modules/services/cyrus.te delete mode 100644 policy/modules/services/dante.fc delete mode 100644 policy/modules/services/dante.if delete mode 100644 policy/modules/services/dante.te delete mode 100644 policy/modules/services/dbskk.fc delete mode 100644 policy/modules/services/dbskk.if delete mode 100644 policy/modules/services/dbskk.te delete mode 100644 policy/modules/services/dbus.fc delete mode 100644 policy/modules/services/dbus.if delete mode 100644 policy/modules/services/dbus.te delete mode 100644 policy/modules/services/dcc.fc delete mode 100644 policy/modules/services/dcc.if delete mode 100644 policy/modules/services/dcc.te delete mode 100644 policy/modules/services/ddclient.fc delete mode 100644 policy/modules/services/ddclient.if delete mode 100644 policy/modules/services/ddclient.te delete mode 100644 policy/modules/services/denyhosts.fc delete mode 100644 policy/modules/services/denyhosts.if delete mode 100644 policy/modules/services/denyhosts.te delete mode 100644 policy/modules/services/devicekit.fc delete mode 100644 policy/modules/services/devicekit.if delete mode 100644 policy/modules/services/devicekit.te delete mode 100644 policy/modules/services/dhcp.fc delete mode 100644 policy/modules/services/dhcp.if delete mode 100644 policy/modules/services/dhcp.te delete mode 100644 policy/modules/services/dictd.fc delete mode 100644 policy/modules/services/dictd.if delete mode 100644 policy/modules/services/dictd.te delete mode 100644 policy/modules/services/distcc.fc delete mode 100644 policy/modules/services/distcc.if delete mode 100644 policy/modules/services/distcc.te delete mode 100644 policy/modules/services/djbdns.fc delete mode 100644 policy/modules/services/djbdns.if delete mode 100644 policy/modules/services/djbdns.te delete mode 100644 policy/modules/services/dkim.fc delete mode 100644 policy/modules/services/dkim.if delete mode 100644 policy/modules/services/dkim.te delete mode 100644 policy/modules/services/dnsmasq.fc delete mode 100644 policy/modules/services/dnsmasq.if delete mode 100644 policy/modules/services/dnsmasq.te delete mode 100644 policy/modules/services/dovecot.fc delete mode 100644 policy/modules/services/dovecot.if delete mode 100644 policy/modules/services/dovecot.te delete mode 100644 policy/modules/services/entropyd.fc delete mode 100644 policy/modules/services/entropyd.if delete mode 100644 policy/modules/services/entropyd.te delete mode 100644 policy/modules/services/exim.fc delete mode 100644 policy/modules/services/exim.if delete mode 100644 policy/modules/services/exim.te delete mode 100644 policy/modules/services/fail2ban.fc delete mode 100644 policy/modules/services/fail2ban.if delete mode 100644 policy/modules/services/fail2ban.te delete mode 100644 policy/modules/services/fetchmail.fc delete mode 100644 policy/modules/services/fetchmail.if delete mode 100644 policy/modules/services/fetchmail.te delete mode 100644 policy/modules/services/finger.fc delete mode 100644 policy/modules/services/finger.if delete mode 100644 policy/modules/services/finger.te delete mode 100644 policy/modules/services/fprintd.fc delete mode 100644 policy/modules/services/fprintd.if delete mode 100644 policy/modules/services/fprintd.te delete mode 100644 policy/modules/services/ftp.fc delete mode 100644 policy/modules/services/ftp.if delete mode 100644 policy/modules/services/ftp.te delete mode 100644 policy/modules/services/gatekeeper.fc delete mode 100644 policy/modules/services/gatekeeper.if delete mode 100644 policy/modules/services/gatekeeper.te delete mode 100644 policy/modules/services/git.fc delete mode 100644 policy/modules/services/git.if delete mode 100644 policy/modules/services/git.te delete mode 100644 policy/modules/services/gnomeclock.fc delete mode 100644 policy/modules/services/gnomeclock.if delete mode 100644 policy/modules/services/gnomeclock.te delete mode 100644 policy/modules/services/gpm.fc delete mode 100644 policy/modules/services/gpm.if delete mode 100644 policy/modules/services/gpm.te delete mode 100644 policy/modules/services/gpsd.fc delete mode 100644 policy/modules/services/gpsd.if delete mode 100644 policy/modules/services/gpsd.te delete mode 100644 policy/modules/services/hadoop.fc delete mode 100644 policy/modules/services/hadoop.if delete mode 100644 policy/modules/services/hadoop.te delete mode 100644 policy/modules/services/hal.fc delete mode 100644 policy/modules/services/hal.if delete mode 100644 policy/modules/services/hal.te delete mode 100644 policy/modules/services/hddtemp.fc delete mode 100644 policy/modules/services/hddtemp.if delete mode 100644 policy/modules/services/hddtemp.te delete mode 100644 policy/modules/services/howl.fc delete mode 100644 policy/modules/services/howl.if delete mode 100644 policy/modules/services/howl.te delete mode 100644 policy/modules/services/i18n_input.fc delete mode 100644 policy/modules/services/i18n_input.if delete mode 100644 policy/modules/services/i18n_input.te delete mode 100644 policy/modules/services/icecast.fc delete mode 100644 policy/modules/services/icecast.if delete mode 100644 policy/modules/services/icecast.te delete mode 100644 policy/modules/services/ifplugd.fc delete mode 100644 policy/modules/services/ifplugd.if delete mode 100644 policy/modules/services/ifplugd.te delete mode 100644 policy/modules/services/imaze.fc delete mode 100644 policy/modules/services/imaze.if delete mode 100644 policy/modules/services/imaze.te delete mode 100644 policy/modules/services/inetd.fc delete mode 100644 policy/modules/services/inetd.if delete mode 100644 policy/modules/services/inetd.te delete mode 100644 policy/modules/services/inn.fc delete mode 100644 policy/modules/services/inn.if delete mode 100644 policy/modules/services/inn.te delete mode 100644 policy/modules/services/ircd.fc delete mode 100644 policy/modules/services/ircd.if delete mode 100644 policy/modules/services/ircd.te delete mode 100644 policy/modules/services/irqbalance.fc delete mode 100644 policy/modules/services/irqbalance.if delete mode 100644 policy/modules/services/irqbalance.te delete mode 100644 policy/modules/services/jabber.fc delete mode 100644 policy/modules/services/jabber.if delete mode 100644 policy/modules/services/jabber.te delete mode 100644 policy/modules/services/kerberos.fc delete mode 100644 policy/modules/services/kerberos.if delete mode 100644 policy/modules/services/kerberos.te delete mode 100644 policy/modules/services/kerneloops.fc delete mode 100644 policy/modules/services/kerneloops.if delete mode 100644 policy/modules/services/kerneloops.te delete mode 100644 policy/modules/services/ksmtuned.fc delete mode 100644 policy/modules/services/ksmtuned.if delete mode 100644 policy/modules/services/ksmtuned.te delete mode 100644 policy/modules/services/ktalk.fc delete mode 100644 policy/modules/services/ktalk.if delete mode 100644 policy/modules/services/ktalk.te delete mode 100644 policy/modules/services/ldap.fc delete mode 100644 policy/modules/services/ldap.if delete mode 100644 policy/modules/services/ldap.te delete mode 100644 policy/modules/services/likewise.fc delete mode 100644 policy/modules/services/likewise.if delete mode 100644 policy/modules/services/likewise.te delete mode 100644 policy/modules/services/lircd.fc delete mode 100644 policy/modules/services/lircd.if delete mode 100644 policy/modules/services/lircd.te delete mode 100644 policy/modules/services/lpd.fc delete mode 100644 policy/modules/services/lpd.if delete mode 100644 policy/modules/services/lpd.te delete mode 100644 policy/modules/services/mailman.fc delete mode 100644 policy/modules/services/mailman.if delete mode 100644 policy/modules/services/mailman.te delete mode 100644 policy/modules/services/mediawiki.fc delete mode 100644 policy/modules/services/mediawiki.if delete mode 100644 policy/modules/services/mediawiki.te delete mode 100644 policy/modules/services/memcached.fc delete mode 100644 policy/modules/services/memcached.if delete mode 100644 policy/modules/services/memcached.te delete mode 100644 policy/modules/services/milter.fc delete mode 100644 policy/modules/services/milter.if delete mode 100644 policy/modules/services/milter.te delete mode 100644 policy/modules/services/modemmanager.fc delete mode 100644 policy/modules/services/modemmanager.if delete mode 100644 policy/modules/services/modemmanager.te delete mode 100644 policy/modules/services/mojomojo.fc delete mode 100644 policy/modules/services/mojomojo.if delete mode 100644 policy/modules/services/mojomojo.te delete mode 100644 policy/modules/services/monop.fc delete mode 100644 policy/modules/services/monop.if delete mode 100644 policy/modules/services/monop.te delete mode 100644 policy/modules/services/mpd.fc delete mode 100644 policy/modules/services/mpd.if delete mode 100644 policy/modules/services/mpd.te delete mode 100644 policy/modules/services/mta.fc delete mode 100644 policy/modules/services/mta.if delete mode 100644 policy/modules/services/mta.te delete mode 100644 policy/modules/services/munin.fc delete mode 100644 policy/modules/services/munin.if delete mode 100644 policy/modules/services/munin.te delete mode 100644 policy/modules/services/mysql.fc delete mode 100644 policy/modules/services/mysql.if delete mode 100644 policy/modules/services/mysql.te delete mode 100644 policy/modules/services/nagios.fc delete mode 100644 policy/modules/services/nagios.if delete mode 100644 policy/modules/services/nagios.te delete mode 100644 policy/modules/services/nessus.fc delete mode 100644 policy/modules/services/nessus.if delete mode 100644 policy/modules/services/nessus.te delete mode 100644 policy/modules/services/networkmanager.fc delete mode 100644 policy/modules/services/networkmanager.if delete mode 100644 policy/modules/services/networkmanager.te delete mode 100644 policy/modules/services/nis.fc delete mode 100644 policy/modules/services/nis.if delete mode 100644 policy/modules/services/nis.te delete mode 100644 policy/modules/services/nscd.fc delete mode 100644 policy/modules/services/nscd.if delete mode 100644 policy/modules/services/nscd.te delete mode 100644 policy/modules/services/nsd.fc delete mode 100644 policy/modules/services/nsd.if delete mode 100644 policy/modules/services/nsd.te delete mode 100644 policy/modules/services/nslcd.fc delete mode 100644 policy/modules/services/nslcd.if delete mode 100644 policy/modules/services/nslcd.te delete mode 100644 policy/modules/services/ntop.fc delete mode 100644 policy/modules/services/ntop.if delete mode 100644 policy/modules/services/ntop.te delete mode 100644 policy/modules/services/ntp.fc delete mode 100644 policy/modules/services/ntp.if delete mode 100644 policy/modules/services/ntp.te delete mode 100644 policy/modules/services/nut.fc delete mode 100644 policy/modules/services/nut.if delete mode 100644 policy/modules/services/nut.te delete mode 100644 policy/modules/services/nx.fc delete mode 100644 policy/modules/services/nx.if delete mode 100644 policy/modules/services/nx.te delete mode 100644 policy/modules/services/oav.fc delete mode 100644 policy/modules/services/oav.if delete mode 100644 policy/modules/services/oav.te delete mode 100644 policy/modules/services/oddjob.fc delete mode 100644 policy/modules/services/oddjob.if delete mode 100644 policy/modules/services/oddjob.te delete mode 100644 policy/modules/services/oident.fc delete mode 100644 policy/modules/services/oident.if delete mode 100644 policy/modules/services/oident.te delete mode 100644 policy/modules/services/openca.fc delete mode 100644 policy/modules/services/openca.if delete mode 100644 policy/modules/services/openca.te delete mode 100644 policy/modules/services/openct.fc delete mode 100644 policy/modules/services/openct.if delete mode 100644 policy/modules/services/openct.te delete mode 100644 policy/modules/services/openvpn.fc delete mode 100644 policy/modules/services/openvpn.if delete mode 100644 policy/modules/services/openvpn.te delete mode 100644 policy/modules/services/pads.fc delete mode 100644 policy/modules/services/pads.if delete mode 100644 policy/modules/services/pads.te delete mode 100644 policy/modules/services/pcscd.fc delete mode 100644 policy/modules/services/pcscd.if delete mode 100644 policy/modules/services/pcscd.te delete mode 100644 policy/modules/services/pegasus.fc delete mode 100644 policy/modules/services/pegasus.if delete mode 100644 policy/modules/services/pegasus.te delete mode 100644 policy/modules/services/perdition.fc delete mode 100644 policy/modules/services/perdition.if delete mode 100644 policy/modules/services/perdition.te delete mode 100644 policy/modules/services/pingd.fc delete mode 100644 policy/modules/services/pingd.if delete mode 100644 policy/modules/services/pingd.te delete mode 100644 policy/modules/services/plymouthd.fc delete mode 100644 policy/modules/services/plymouthd.if delete mode 100644 policy/modules/services/plymouthd.te delete mode 100644 policy/modules/services/policykit.fc delete mode 100644 policy/modules/services/policykit.if delete mode 100644 policy/modules/services/policykit.te delete mode 100644 policy/modules/services/portmap.fc delete mode 100644 policy/modules/services/portmap.if delete mode 100644 policy/modules/services/portmap.te delete mode 100644 policy/modules/services/portreserve.fc delete mode 100644 policy/modules/services/portreserve.if delete mode 100644 policy/modules/services/portreserve.te delete mode 100644 policy/modules/services/portslave.fc delete mode 100644 policy/modules/services/portslave.if delete mode 100644 policy/modules/services/portslave.te delete mode 100644 policy/modules/services/postfix.fc delete mode 100644 policy/modules/services/postfix.if delete mode 100644 policy/modules/services/postfix.te delete mode 100644 policy/modules/services/postfixpolicyd.fc delete mode 100644 policy/modules/services/postfixpolicyd.if delete mode 100644 policy/modules/services/postfixpolicyd.te delete mode 100644 policy/modules/services/postgrey.fc delete mode 100644 policy/modules/services/postgrey.if delete mode 100644 policy/modules/services/postgrey.te delete mode 100644 policy/modules/services/ppp.fc delete mode 100644 policy/modules/services/ppp.if delete mode 100644 policy/modules/services/ppp.te delete mode 100644 policy/modules/services/prelude.fc delete mode 100644 policy/modules/services/prelude.if delete mode 100644 policy/modules/services/prelude.te delete mode 100644 policy/modules/services/privoxy.fc delete mode 100644 policy/modules/services/privoxy.if delete mode 100644 policy/modules/services/privoxy.te delete mode 100644 policy/modules/services/procmail.fc delete mode 100644 policy/modules/services/procmail.if delete mode 100644 policy/modules/services/procmail.te delete mode 100644 policy/modules/services/psad.fc delete mode 100644 policy/modules/services/psad.if delete mode 100644 policy/modules/services/psad.te delete mode 100644 policy/modules/services/publicfile.fc delete mode 100644 policy/modules/services/publicfile.if delete mode 100644 policy/modules/services/publicfile.te delete mode 100644 policy/modules/services/puppet.fc delete mode 100644 policy/modules/services/puppet.if delete mode 100644 policy/modules/services/puppet.te delete mode 100644 policy/modules/services/pxe.fc delete mode 100644 policy/modules/services/pxe.if delete mode 100644 policy/modules/services/pxe.te delete mode 100644 policy/modules/services/pyicqt.fc delete mode 100644 policy/modules/services/pyicqt.if delete mode 100644 policy/modules/services/pyicqt.te delete mode 100644 policy/modules/services/pyzor.fc delete mode 100644 policy/modules/services/pyzor.if delete mode 100644 policy/modules/services/pyzor.te delete mode 100644 policy/modules/services/qmail.fc delete mode 100644 policy/modules/services/qmail.if delete mode 100644 policy/modules/services/qmail.te delete mode 100644 policy/modules/services/qpid.fc delete mode 100644 policy/modules/services/qpid.if delete mode 100644 policy/modules/services/qpid.te delete mode 100644 policy/modules/services/radius.fc delete mode 100644 policy/modules/services/radius.if delete mode 100644 policy/modules/services/radius.te delete mode 100644 policy/modules/services/radvd.fc delete mode 100644 policy/modules/services/radvd.if delete mode 100644 policy/modules/services/radvd.te delete mode 100644 policy/modules/services/razor.fc delete mode 100644 policy/modules/services/razor.if delete mode 100644 policy/modules/services/razor.te delete mode 100644 policy/modules/services/rdisc.fc delete mode 100644 policy/modules/services/rdisc.if delete mode 100644 policy/modules/services/rdisc.te delete mode 100644 policy/modules/services/remotelogin.fc delete mode 100644 policy/modules/services/remotelogin.if delete mode 100644 policy/modules/services/remotelogin.te delete mode 100644 policy/modules/services/resmgr.fc delete mode 100644 policy/modules/services/resmgr.if delete mode 100644 policy/modules/services/resmgr.te delete mode 100644 policy/modules/services/rgmanager.fc delete mode 100644 policy/modules/services/rgmanager.if delete mode 100644 policy/modules/services/rgmanager.te delete mode 100644 policy/modules/services/rhcs.fc delete mode 100644 policy/modules/services/rhcs.if delete mode 100644 policy/modules/services/rhcs.te delete mode 100644 policy/modules/services/rhgb.fc delete mode 100644 policy/modules/services/rhgb.if delete mode 100644 policy/modules/services/rhgb.te delete mode 100644 policy/modules/services/ricci.fc delete mode 100644 policy/modules/services/ricci.if delete mode 100644 policy/modules/services/ricci.te delete mode 100644 policy/modules/services/rlogin.fc delete mode 100644 policy/modules/services/rlogin.if delete mode 100644 policy/modules/services/rlogin.te delete mode 100644 policy/modules/services/roundup.fc delete mode 100644 policy/modules/services/roundup.if delete mode 100644 policy/modules/services/roundup.te delete mode 100644 policy/modules/services/rpc.fc delete mode 100644 policy/modules/services/rpc.if delete mode 100644 policy/modules/services/rpc.te delete mode 100644 policy/modules/services/rpcbind.fc delete mode 100644 policy/modules/services/rpcbind.if delete mode 100644 policy/modules/services/rpcbind.te delete mode 100644 policy/modules/services/rshd.fc delete mode 100644 policy/modules/services/rshd.if delete mode 100644 policy/modules/services/rshd.te delete mode 100644 policy/modules/services/rsync.fc delete mode 100644 policy/modules/services/rsync.if delete mode 100644 policy/modules/services/rsync.te delete mode 100644 policy/modules/services/rtkit.fc delete mode 100644 policy/modules/services/rtkit.if delete mode 100644 policy/modules/services/rtkit.te delete mode 100644 policy/modules/services/rwho.fc delete mode 100644 policy/modules/services/rwho.if delete mode 100644 policy/modules/services/rwho.te delete mode 100644 policy/modules/services/samba.fc delete mode 100644 policy/modules/services/samba.if delete mode 100644 policy/modules/services/samba.te delete mode 100644 policy/modules/services/samhain.fc delete mode 100644 policy/modules/services/samhain.if delete mode 100644 policy/modules/services/samhain.te delete mode 100644 policy/modules/services/sasl.fc delete mode 100644 policy/modules/services/sasl.if delete mode 100644 policy/modules/services/sasl.te delete mode 100644 policy/modules/services/sendmail.fc delete mode 100644 policy/modules/services/sendmail.if delete mode 100644 policy/modules/services/sendmail.te delete mode 100644 policy/modules/services/setroubleshoot.fc delete mode 100644 policy/modules/services/setroubleshoot.if delete mode 100644 policy/modules/services/setroubleshoot.te delete mode 100644 policy/modules/services/slrnpull.fc delete mode 100644 policy/modules/services/slrnpull.if delete mode 100644 policy/modules/services/slrnpull.te delete mode 100644 policy/modules/services/smartmon.fc delete mode 100644 policy/modules/services/smartmon.if delete mode 100644 policy/modules/services/smartmon.te delete mode 100644 policy/modules/services/smokeping.fc delete mode 100644 policy/modules/services/smokeping.if delete mode 100644 policy/modules/services/smokeping.te delete mode 100644 policy/modules/services/snmp.fc delete mode 100644 policy/modules/services/snmp.if delete mode 100644 policy/modules/services/snmp.te delete mode 100644 policy/modules/services/snort.fc delete mode 100644 policy/modules/services/snort.if delete mode 100644 policy/modules/services/snort.te delete mode 100644 policy/modules/services/soundserver.fc delete mode 100644 policy/modules/services/soundserver.if delete mode 100644 policy/modules/services/soundserver.te delete mode 100644 policy/modules/services/spamassassin.fc delete mode 100644 policy/modules/services/spamassassin.if delete mode 100644 policy/modules/services/spamassassin.te delete mode 100644 policy/modules/services/speedtouch.fc delete mode 100644 policy/modules/services/speedtouch.if delete mode 100644 policy/modules/services/speedtouch.te delete mode 100644 policy/modules/services/squid.fc delete mode 100644 policy/modules/services/squid.if delete mode 100644 policy/modules/services/squid.te delete mode 100644 policy/modules/services/sssd.fc delete mode 100644 policy/modules/services/sssd.if delete mode 100644 policy/modules/services/sssd.te delete mode 100644 policy/modules/services/stunnel.fc delete mode 100644 policy/modules/services/stunnel.if delete mode 100644 policy/modules/services/stunnel.te delete mode 100644 policy/modules/services/sysstat.fc delete mode 100644 policy/modules/services/sysstat.if delete mode 100644 policy/modules/services/sysstat.te delete mode 100644 policy/modules/services/tcpd.fc delete mode 100644 policy/modules/services/tcpd.if delete mode 100644 policy/modules/services/tcpd.te delete mode 100644 policy/modules/services/tcsd.fc delete mode 100644 policy/modules/services/tcsd.if delete mode 100644 policy/modules/services/tcsd.te delete mode 100644 policy/modules/services/telnet.fc delete mode 100644 policy/modules/services/telnet.if delete mode 100644 policy/modules/services/telnet.te delete mode 100644 policy/modules/services/tftp.fc delete mode 100644 policy/modules/services/tftp.if delete mode 100644 policy/modules/services/tftp.te delete mode 100644 policy/modules/services/tgtd.fc delete mode 100644 policy/modules/services/tgtd.if delete mode 100644 policy/modules/services/tgtd.te delete mode 100644 policy/modules/services/timidity.fc delete mode 100644 policy/modules/services/timidity.if delete mode 100644 policy/modules/services/timidity.te delete mode 100644 policy/modules/services/tor.fc delete mode 100644 policy/modules/services/tor.if delete mode 100644 policy/modules/services/tor.te delete mode 100644 policy/modules/services/transproxy.fc delete mode 100644 policy/modules/services/transproxy.if delete mode 100644 policy/modules/services/transproxy.te delete mode 100644 policy/modules/services/tuned.fc delete mode 100644 policy/modules/services/tuned.if delete mode 100644 policy/modules/services/tuned.te delete mode 100644 policy/modules/services/ucspitcp.fc delete mode 100644 policy/modules/services/ucspitcp.if delete mode 100644 policy/modules/services/ucspitcp.te delete mode 100644 policy/modules/services/ulogd.fc delete mode 100644 policy/modules/services/ulogd.if delete mode 100644 policy/modules/services/ulogd.te delete mode 100644 policy/modules/services/uptime.fc delete mode 100644 policy/modules/services/uptime.if delete mode 100644 policy/modules/services/uptime.te delete mode 100644 policy/modules/services/usbmuxd.fc delete mode 100644 policy/modules/services/usbmuxd.if delete mode 100644 policy/modules/services/usbmuxd.te delete mode 100644 policy/modules/services/uucp.fc delete mode 100644 policy/modules/services/uucp.if delete mode 100644 policy/modules/services/uucp.te delete mode 100644 policy/modules/services/uwimap.fc delete mode 100644 policy/modules/services/uwimap.if delete mode 100644 policy/modules/services/uwimap.te delete mode 100644 policy/modules/services/varnishd.fc delete mode 100644 policy/modules/services/varnishd.if delete mode 100644 policy/modules/services/varnishd.te delete mode 100644 policy/modules/services/vhostmd.fc delete mode 100644 policy/modules/services/vhostmd.if delete mode 100644 policy/modules/services/vhostmd.te delete mode 100644 policy/modules/services/virt.fc delete mode 100644 policy/modules/services/virt.if delete mode 100644 policy/modules/services/virt.te delete mode 100644 policy/modules/services/vnstatd.fc delete mode 100644 policy/modules/services/vnstatd.if delete mode 100644 policy/modules/services/vnstatd.te delete mode 100644 policy/modules/services/w3c.fc delete mode 100644 policy/modules/services/w3c.if delete mode 100644 policy/modules/services/w3c.te delete mode 100644 policy/modules/services/watchdog.fc delete mode 100644 policy/modules/services/watchdog.if delete mode 100644 policy/modules/services/watchdog.te delete mode 100644 policy/modules/services/xfs.fc delete mode 100644 policy/modules/services/xfs.if delete mode 100644 policy/modules/services/xfs.te delete mode 100644 policy/modules/services/xprint.fc delete mode 100644 policy/modules/services/xprint.if delete mode 100644 policy/modules/services/xprint.te delete mode 100644 policy/modules/services/zabbix.fc delete mode 100644 policy/modules/services/zabbix.if delete mode 100644 policy/modules/services/zabbix.te delete mode 100644 policy/modules/services/zarafa.fc delete mode 100644 policy/modules/services/zarafa.if delete mode 100644 policy/modules/services/zarafa.te delete mode 100644 policy/modules/services/zebra.fc delete mode 100644 policy/modules/services/zebra.if delete mode 100644 policy/modules/services/zebra.te delete mode 100644 policy/modules/services/zosremote.fc delete mode 100644 policy/modules/services/zosremote.if delete mode 100644 policy/modules/services/zosremote.te delete mode 100644 policy/modules/system/daemontools.fc delete mode 100644 policy/modules/system/daemontools.if delete mode 100644 policy/modules/system/daemontools.te delete mode 100644 policy/modules/system/iscsi.fc delete mode 100644 policy/modules/system/iscsi.if delete mode 100644 policy/modules/system/iscsi.te delete mode 100644 policy/modules/system/pcmcia.fc delete mode 100644 policy/modules/system/pcmcia.if delete mode 100644 policy/modules/system/pcmcia.te delete mode 100644 policy/modules/system/raid.fc delete mode 100644 policy/modules/system/raid.if delete mode 100644 policy/modules/system/raid.te delete mode 100644 policy/modules/system/xen.fc delete mode 100644 policy/modules/system/xen.if delete mode 100644 policy/modules/system/xen.te diff --git a/policy/modules/admin/acct.fc b/policy/modules/admin/acct.fc deleted file mode 100644 index e81367cc4..000000000 --- a/policy/modules/admin/acct.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0) - -/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) - -/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) - -/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) -/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0) diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if deleted file mode 100644 index e66c296e1..000000000 --- a/policy/modules/admin/acct.if +++ /dev/null @@ -1,80 +0,0 @@ -## Berkeley process accounting - -######################################## -## -## Transition to the accounting management domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`acct_domtrans',` - gen_require(` - type acct_t, acct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, acct_exec_t, acct_t) -') - -######################################## -## -## Execute accounting management tools in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`acct_exec',` - gen_require(` - type acct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, acct_exec_t) -') - -######################################## -## -## Execute accounting management data in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -# cjp: this is added for logrotate, and does -# not make sense to me. -interface(`acct_exec_data',` - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - can_exec($1, acct_data_t) -') - -######################################## -## -## Create, read, write, and delete process accounting data. -## -## -## -## Domain allowed access. -## -## -# -interface(`acct_manage_data',` - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - manage_files_pattern($1, acct_data_t, acct_data_t) - manage_lnk_files_pattern($1, acct_data_t, acct_data_t) -') diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te deleted file mode 100644 index 63ef90ec7..000000000 --- a/policy/modules/admin/acct.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(acct, 1.5.0) - -######################################## -# -# Declarations -# - -type acct_t; -type acct_exec_t; -init_system_domain(acct_t, acct_exec_t) - -type acct_data_t; -logging_log_file(acct_data_t) - -######################################## -# -# Local Policy -# - -# gzip needs chown capability for some reason -allow acct_t self:capability { sys_pacct chown fsetid }; -# not sure why we need kill, the command "last" is reported as using it -dontaudit acct_t self:capability { kill sys_tty_config }; - -allow acct_t self:fifo_file rw_fifo_file_perms; -allow acct_t self:process signal_perms; - -manage_files_pattern(acct_t, acct_data_t, acct_data_t) -manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t) - -can_exec(acct_t, acct_exec_t) - -kernel_list_proc(acct_t) -kernel_read_system_state(acct_t) -kernel_read_kernel_sysctls(acct_t) - -dev_read_sysfs(acct_t) -# for SSP -dev_read_urand(acct_t) - -fs_search_auto_mountpoints(acct_t) -fs_getattr_xattr_fs(acct_t) - -term_dontaudit_use_console(acct_t) -term_dontaudit_use_generic_ptys(acct_t) - -corecmd_exec_bin(acct_t) -corecmd_exec_shell(acct_t) - -domain_use_interactive_fds(acct_t) - -files_read_etc_files(acct_t) -files_read_etc_runtime_files(acct_t) -files_list_usr(acct_t) -# for nscd -files_dontaudit_search_pids(acct_t) - -init_use_fds(acct_t) -init_use_script_ptys(acct_t) -init_exec_script_files(acct_t) - -logging_send_syslog_msg(acct_t) - -miscfiles_read_localization(acct_t) - -userdom_dontaudit_use_unpriv_user_fds(acct_t) -userdom_dontaudit_search_user_home_dirs(acct_t) - -optional_policy(` - optional_policy(` - # for monthly cron job - auth_log_filetrans_login_records(acct_t) - auth_manage_login_records(acct_t) - ') - - cron_system_entry(acct_t, acct_exec_t) -') - -optional_policy(` - nscd_socket_use(acct_t) -') - -optional_policy(` - seutil_sigchld_newrole(acct_t) -') - -optional_policy(` - udev_read_db(acct_t) -') diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc deleted file mode 100644 index d362d9ce1..000000000 --- a/policy/modules/admin/alsa.fc +++ /dev/null @@ -1,20 +0,0 @@ -HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) - -/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) - -/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) - -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) - -/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if deleted file mode 100644 index 139267933..000000000 --- a/policy/modules/admin/alsa.if +++ /dev/null @@ -1,208 +0,0 @@ -## Ainit ALSA configuration tool. - -######################################## -## -## Execute a domain transition to run Alsa. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`alsa_domtrans',` - gen_require(` - type alsa_t, alsa_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, alsa_exec_t, alsa_t) -') - -######################################## -## -## Execute a domain transition to run -## Alsa, and allow the specified role -## the Alsa domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`alsa_run',` - gen_require(` - type alsa_t; - ') - - alsa_domtrans($1) - role $2 types alsa_t; -') - -######################################## -## -## Read and write Alsa semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_rw_semaphores',` - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:sem rw_sem_perms; -') - -######################################## -## -## Read and write Alsa shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_rw_shared_mem',` - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:shm rw_shm_perms; -') - -######################################## -## -## Read writable Alsa config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_read_rw_config',` - gen_require(` - type alsa_etc_rw_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') -') - -######################################## -## -## Manage writable Alsa config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_manage_rw_config',` - gen_require(` - type alsa_etc_rw_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') -') - -######################################## -## -## Manage alsa home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_manage_home_files',` - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file manage_file_perms; -') - -######################################## -## -## Read Alsa home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_read_home_files',` - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file read_file_perms; -') - -######################################## -## -## Relabel alsa home files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_relabel_home_files',` - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file relabel_file_perms; -') - -######################################## -## -## Read Alsa lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_read_lib',` - gen_require(` - type alsa_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) -') diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te deleted file mode 100644 index dc1b08807..000000000 --- a/policy/modules/admin/alsa.te +++ /dev/null @@ -1,84 +0,0 @@ -policy_module(alsa, 1.11.0) - -######################################## -# -# Declarations -# - -type alsa_t; -type alsa_exec_t; -init_system_domain(alsa_t, alsa_exec_t) -role system_r types alsa_t; - -type alsa_etc_rw_t; -files_config_file(alsa_etc_rw_t) - -type alsa_tmp_t; -files_tmp_file(alsa_tmp_t) - -type alsa_var_lib_t; -files_type(alsa_var_lib_t) - -type alsa_home_t; -userdom_user_home_content(alsa_home_t) - -######################################## -# -# Local policy -# - -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; -dontaudit alsa_t self:capability sys_admin; -allow alsa_t self:sem create_sem_perms; -allow alsa_t self:shm create_shm_perms; -allow alsa_t self:unix_stream_socket create_stream_socket_perms; -allow alsa_t self:unix_dgram_socket create_socket_perms; - -allow alsa_t alsa_home_t:file read_file_perms; - -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) - -can_exec(alsa_t, alsa_exec_t) - -manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) -manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) -files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) -userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) - -manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) -manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) -files_search_var_lib(alsa_t) - -kernel_read_system_state(alsa_t) - -dev_read_sound(alsa_t) -dev_write_sound(alsa_t) -dev_read_sysfs(alsa_t) - -corecmd_exec_bin(alsa_t) - -files_read_etc_files(alsa_t) -files_read_usr_files(alsa_t) - -term_dontaudit_use_console(alsa_t) -term_dontaudit_use_generic_ptys(alsa_t) -term_dontaudit_use_all_ptys(alsa_t) - -auth_use_nsswitch(alsa_t) - -init_use_fds(alsa_t) - -logging_send_syslog_msg(alsa_t) - -miscfiles_read_localization(alsa_t) - -userdom_manage_unpriv_user_semaphores(alsa_t) -userdom_manage_unpriv_user_shared_mem(alsa_t) -userdom_search_user_home_dirs(alsa_t) - -optional_policy(` - hal_use_fds(alsa_t) - hal_write_log(alsa_t) -') diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc deleted file mode 100644 index e3e07011c..000000000 --- a/policy/modules/admin/amanda.fc +++ /dev/null @@ -1,26 +0,0 @@ -/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) -/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) -/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) -/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) -# empty m4 string so the index macro is not invoked -/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) - -/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) - -/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) -/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) - -/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) - -/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) -/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) -/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) -/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0) -/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0) -# the null string in here because index is a m4 builtin function -/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0) - -/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if deleted file mode 100644 index 8498e9718..000000000 --- a/policy/modules/admin/amanda.if +++ /dev/null @@ -1,161 +0,0 @@ -## Advanced Maryland Automatic Network Disk Archiver. - -######################################## -## -## Execute a domain transition to run -## Amanda recover. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amanda_domtrans_recover',` - gen_require(` - type amanda_recover_t, amanda_recover_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) -') - -######################################## -## -## Execute a domain transition to run -## Amanda recover, and allow the specified -## role the Amanda recover domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`amanda_run_recover',` - gen_require(` - type amanda_recover_t; - ') - - amanda_domtrans_recover($1) - role $2 types amanda_recover_t; -') - -######################################## -## -## Search Amanda library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_search_lib',` - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read /etc/dumpdates. -## -## -## -## Domain to not audit. -## -## -# -interface(`amanda_dontaudit_read_dumpdates',` - gen_require(` - type amanda_dumpdates_t; - ') - - dontaudit $1 amanda_dumpdates_t:file { getattr read }; -') - -######################################## -## -## Read and write /etc/dumpdates. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_rw_dumpdates_files',` - gen_require(` - type amanda_dumpdates_t; - ') - - files_search_etc($1) - allow $1 amanda_dumpdates_t:file rw_file_perms; -') - -######################################## -## -## Search Amanda library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_manage_lib',` - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir manage_dir_perms; -') - -######################################## -## -## Read and append amanda logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_append_log_files',` - gen_require(` - type amanda_log_t; - ') - - logging_search_logs($1) - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; -') - -####################################### -## -## Search Amanda var library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amanda_search_var_lib',` - gen_require(` - type amanda_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 amanda_var_lib_t:dir search_dir_perms; -') diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te deleted file mode 100644 index 46d467c10..000000000 --- a/policy/modules/admin/amanda.te +++ /dev/null @@ -1,211 +0,0 @@ -policy_module(amanda, 1.13.0) - -####################################### -# -# Declarations -# - -type amanda_t; -type amanda_inetd_exec_t; -inetd_service_domain(amanda_t, amanda_inetd_exec_t) -role system_r types amanda_t; - -type amanda_exec_t; -domain_entry_file(amanda_t, amanda_exec_t) - -type amanda_log_t; -logging_log_file(amanda_log_t) - -type amanda_config_t; -files_type(amanda_config_t) - -type amanda_usr_lib_t; -files_type(amanda_usr_lib_t) - -type amanda_var_lib_t; -files_type(amanda_var_lib_t) - -type amanda_gnutarlists_t; -files_type(amanda_gnutarlists_t) - -type amanda_tmp_t; -files_tmp_file(amanda_tmp_t) - -type amanda_amandates_t; -files_type(amanda_amandates_t) - -type amanda_dumpdates_t; -files_type(amanda_dumpdates_t) - -type amanda_data_t; -files_type(amanda_data_t) - -type amanda_recover_t; -type amanda_recover_exec_t; -application_domain(amanda_recover_t, amanda_recover_exec_t) -role system_r types amanda_recover_t; - -type amanda_recover_dir_t; -files_type(amanda_recover_dir_t) - -optional_policy(` - prelink_object_file(amanda_usr_lib_t) -') - -######################################## -# -# Amanda local policy -# - -allow amanda_t self:capability { chown dac_override setuid kill }; -allow amanda_t self:process { setpgid signal }; -allow amanda_t self:fifo_file rw_fifo_file_perms; -allow amanda_t self:unix_stream_socket create_stream_socket_perms; -allow amanda_t self:unix_dgram_socket create_socket_perms; -allow amanda_t self:tcp_socket create_stream_socket_perms; -allow amanda_t self:udp_socket create_socket_perms; - -allow amanda_t amanda_amandates_t:file rw_file_perms; - -allow amanda_t amanda_config_t:file read_file_perms; - -manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) -manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) -filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) - -allow amanda_t amanda_dumpdates_t:file rw_file_perms; - -can_exec(amanda_t, amanda_exec_t) -can_exec(amanda_t, amanda_inetd_exec_t) - -allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; -allow amanda_t amanda_gnutarlists_t:file manage_file_perms; -allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; - -manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) -manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) - -manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) -manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) -logging_log_filetrans(amanda_t, amanda_log_t, { file dir }) - -manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) -manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) -files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) - -kernel_read_system_state(amanda_t) -kernel_read_kernel_sysctls(amanda_t) -kernel_dontaudit_getattr_unlabeled_files(amanda_t) -kernel_dontaudit_read_proc_symlinks(amanda_t) - -corecmd_exec_shell(amanda_t) -corecmd_exec_bin(amanda_t) - -corenet_all_recvfrom_unlabeled(amanda_t) -corenet_all_recvfrom_netlabel(amanda_t) -corenet_tcp_sendrecv_generic_if(amanda_t) -corenet_udp_sendrecv_generic_if(amanda_t) -corenet_raw_sendrecv_generic_if(amanda_t) -corenet_tcp_sendrecv_generic_node(amanda_t) -corenet_udp_sendrecv_generic_node(amanda_t) -corenet_raw_sendrecv_generic_node(amanda_t) -corenet_tcp_sendrecv_all_ports(amanda_t) -corenet_udp_sendrecv_all_ports(amanda_t) -corenet_tcp_bind_generic_node(amanda_t) -corenet_udp_bind_generic_node(amanda_t) -corenet_tcp_bind_all_rpc_ports(amanda_t) -corenet_tcp_bind_generic_port(amanda_t) -corenet_dontaudit_tcp_bind_all_ports(amanda_t) - -dev_getattr_all_blk_files(amanda_t) -dev_getattr_all_chr_files(amanda_t) - -files_read_etc_files(amanda_t) -files_read_etc_runtime_files(amanda_t) -files_list_all(amanda_t) -files_read_all_files(amanda_t) -files_read_all_symlinks(amanda_t) -files_read_all_blk_files(amanda_t) -files_read_all_chr_files(amanda_t) -files_getattr_all_pipes(amanda_t) -files_getattr_all_sockets(amanda_t) - -fs_getattr_xattr_fs(amanda_t) -fs_list_all(amanda_t) - -storage_raw_read_fixed_disk(amanda_t) -storage_read_tape(amanda_t) -storage_write_tape(amanda_t) - -auth_use_nsswitch(amanda_t) -auth_read_shadow(amanda_t) - -logging_send_syslog_msg(amanda_t) - -######################################## -# -# Amanda recover local policy -# - -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; -allow amanda_recover_t self:process { sigkill sigstop signal }; -allow amanda_recover_t self:fifo_file rw_fifo_file_perms; -allow amanda_recover_t self:unix_stream_socket { connect create read write }; -allow amanda_recover_t self:tcp_socket create_stream_socket_perms; -allow amanda_recover_t self:udp_socket create_socket_perms; - -manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t) - -manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t) -userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t) -files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_system_state(amanda_recover_t) -kernel_read_kernel_sysctls(amanda_recover_t) - -corecmd_exec_shell(amanda_recover_t) -corecmd_exec_bin(amanda_recover_t) - -corenet_all_recvfrom_unlabeled(amanda_recover_t) -corenet_all_recvfrom_netlabel(amanda_recover_t) -corenet_tcp_sendrecv_generic_if(amanda_recover_t) -corenet_udp_sendrecv_generic_if(amanda_recover_t) -corenet_tcp_sendrecv_generic_node(amanda_recover_t) -corenet_udp_sendrecv_generic_node(amanda_recover_t) -corenet_tcp_sendrecv_all_ports(amanda_recover_t) -corenet_udp_sendrecv_all_ports(amanda_recover_t) -corenet_tcp_bind_generic_node(amanda_recover_t) -corenet_udp_bind_generic_node(amanda_recover_t) -corenet_tcp_bind_reserved_port(amanda_recover_t) -corenet_tcp_connect_amanda_port(amanda_recover_t) -corenet_sendrecv_amanda_client_packets(amanda_recover_t) - -domain_use_interactive_fds(amanda_recover_t) - -files_read_etc_files(amanda_recover_t) -files_read_etc_runtime_files(amanda_recover_t) -files_search_tmp(amanda_recover_t) -files_search_pids(amanda_recover_t) - -auth_use_nsswitch(amanda_recover_t) - -fstools_domtrans(amanda_t) -fstools_signal(amanda_t) - -logging_search_logs(amanda_recover_t) - -miscfiles_read_localization(amanda_recover_t) - -userdom_use_user_terminals(amanda_recover_t) -userdom_search_user_home_content(amanda_recover_t) diff --git a/policy/modules/admin/amtu.fc b/policy/modules/admin/amtu.fc deleted file mode 100644 index d97160ebb..000000000 --- a/policy/modules/admin/amtu.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0) diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if deleted file mode 100644 index be82315d7..000000000 --- a/policy/modules/admin/amtu.if +++ /dev/null @@ -1,46 +0,0 @@ -## Abstract Machine Test Utility. - -######################################## -## -## Execute a domain transition to run Amtu. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amtu_domtrans',` - gen_require(` - type amtu_t, amtu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amtu_exec_t, amtu_t) -') - -######################################## -## -## Execute a domain transition to run -## Amtu, and allow the specified role -## the Amtu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`amtu_run',` - gen_require(` - type amtu_t; - ') - - amtu_domtrans($1) - role $2 types amtu_t; -') diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te deleted file mode 100644 index 057abb0c7..000000000 --- a/policy/modules/admin/amtu.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(amtu, 1.2.0) - -######################################## -# -# Declarations -# - -type amtu_t; -type amtu_exec_t; -domain_type(amtu_t) -domain_entry_file(amtu_t, amtu_exec_t) - -######################################## -# -# amtu local policy -# - -kernel_read_system_state(amtu_t) - -files_manage_boot_files(amtu_t) -files_read_etc_runtime_files(amtu_t) -files_read_etc_files(amtu_t) - -logging_send_audit_msgs(amtu_t) - -userdom_use_user_terminals(amtu_t) - -optional_policy(` - nscd_dontaudit_search_pid(amtu_t) -') - -optional_policy(` - seutil_use_newrole_fds(amtu_t) -') diff --git a/policy/modules/admin/anaconda.fc b/policy/modules/admin/anaconda.fc deleted file mode 100644 index b098089d0..000000000 --- a/policy/modules/admin/anaconda.fc +++ /dev/null @@ -1 +0,0 @@ -# No file context specifications. diff --git a/policy/modules/admin/anaconda.if b/policy/modules/admin/anaconda.if deleted file mode 100644 index 14a61b7e1..000000000 --- a/policy/modules/admin/anaconda.if +++ /dev/null @@ -1 +0,0 @@ -## Anaconda installer. diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te deleted file mode 100644 index e81bdbd7e..000000000 --- a/policy/modules/admin/anaconda.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(anaconda, 1.6.0) - -######################################## -# -# Declarations -# - -type anaconda_t; -type anaconda_exec_t; -domain_type(anaconda_t) -domain_obj_id_change_exemption(anaconda_t) -role system_r types anaconda_t; - -######################################## -# -# Local policy -# - -allow anaconda_t self:process execmem; - -kernel_domtrans_to(anaconda_t, anaconda_exec_t) - -init_domtrans_script(anaconda_t) - -libs_domtrans_ldconfig(anaconda_t) - -logging_send_syslog_msg(anaconda_t) - -modutils_domtrans_insmod(anaconda_t) -modutils_domtrans_depmod(anaconda_t) - -seutil_domtrans_semanage(anaconda_t) - -userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - kudzu_domtrans(anaconda_t) -') - -optional_policy(` - rpm_domtrans(anaconda_t) - rpm_domtrans_script(anaconda_t) -') - -optional_policy(` - ssh_domtrans_keygen(anaconda_t) -') - -optional_policy(` - udev_domtrans(anaconda_t) -') - -optional_policy(` - unconfined_domain(anaconda_t) -') - -optional_policy(` - usermanage_domtrans_admin_passwd(anaconda_t) -') diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc deleted file mode 100644 index e4f485014..000000000 --- a/policy/modules/admin/apt.fc +++ /dev/null @@ -1,21 +0,0 @@ -/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) -# apt-shell is redhat specific -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) -# other package managers -/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) - -# package cache repository -/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) - -# package list repository -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) - -# aptitude lock -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) -# aptitude log -/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0) - -# dpkg terminal log -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if deleted file mode 100644 index e696b80c6..000000000 --- a/policy/modules/admin/apt.if +++ /dev/null @@ -1,225 +0,0 @@ -## APT advanced package tool. - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apt_domtrans',` - gen_require(` - type apt_t, apt_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, apt_exec_t, apt_t) -') - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the apt domain. -## -## -## -# -interface(`apt_run',` - gen_require(` - type apt_t; - ') - - apt_domtrans($1) - role $2 types apt_t; - # TODO: likely have to add dpkg_run here. -') - -######################################## -## -## Inherit and use file descriptors from apt. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_use_fds',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fd use; - # TODO: enforce dpkg_use_fd? -') - -######################################## -## -## Do not audit attempts to use file descriptors from apt. -## -## -## -## Domain to not audit. -## -## -# -interface(`apt_dontaudit_use_fds',` - gen_require(` - type apt_t; - ') - - dontaudit $1 apt_t:fd use; -') - -######################################## -## -## Read from an unnamed apt pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file read_fifo_file_perms; - # TODO: enforce dpkg_read_pipes? -') - -######################################## -## -## Read and write an unnamed apt pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_rw_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file rw_file_perms; - # TODO: enforce dpkg_rw_pipes? -') - -######################################## -## -## Read from and write to apt ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_use_ptys',` - gen_require(` - type apt_devpts_t; - ') - - allow $1 apt_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Read the apt package cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_cache',` - gen_require(` - type apt_var_cache_t; - ') - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; - dontaudit $1 apt_var_cache_t:dir write; - allow $1 apt_var_cache_t:file read_file_perms; -') - -######################################## -## -## Read the apt package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 apt_var_lib_t:dir list_dir_perms; - read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete the apt package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - # cjp: shouldnt this be manage_lnk_files? - rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete the apt package database. -## -## -## -## Domain to not audit. -## -## -# -interface(`apt_dontaudit_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - dontaudit $1 apt_var_lib_t:dir rw_dir_perms; - dontaudit $1 apt_var_lib_t:file manage_file_perms; - dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; -') diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te deleted file mode 100644 index 40447100d..000000000 --- a/policy/modules/admin/apt.te +++ /dev/null @@ -1,162 +0,0 @@ -policy_module(apt, 1.6.0) - -######################################## -# -# Declarations -# - -type apt_t; -type apt_exec_t; -init_system_domain(apt_t, apt_exec_t) -domain_system_change_exemption(apt_t) -role system_r types apt_t; - -# pseudo terminal for running dpkg -type apt_devpts_t; -term_pty(apt_devpts_t) - -# aptitude lock file -type apt_lock_t; -files_lock_file(apt_lock_t) - -type apt_tmp_t; -files_tmp_file(apt_tmp_t) - -type apt_tmpfs_t; -files_tmpfs_file(apt_tmpfs_t) - -# package cache -type apt_var_cache_t alias var_cache_apt_t; -files_type(apt_var_cache_t) - -# status files -type apt_var_lib_t alias var_lib_apt_t; -files_type(apt_var_lib_t) - -# aptitude log file -type apt_var_log_t; -logging_log_file(apt_var_log_t) - -######################################## -# -# apt Local policy -# - -allow apt_t self:capability { chown dac_override fowner fsetid }; -allow apt_t self:process { signal setpgid fork }; -allow apt_t self:fd use; -allow apt_t self:fifo_file rw_fifo_file_perms; -allow apt_t self:unix_dgram_socket create_socket_perms; -allow apt_t self:unix_stream_socket rw_stream_socket_perms; -allow apt_t self:unix_dgram_socket sendto; -allow apt_t self:unix_stream_socket connectto; -allow apt_t self:udp_socket { connect create_socket_perms }; -allow apt_t self:tcp_socket create_stream_socket_perms; -allow apt_t self:shm create_shm_perms; -allow apt_t self:sem create_sem_perms; -allow apt_t self:msgq create_msgq_perms; -allow apt_t self:msg { send receive }; -# Run update -allow apt_t self:netlink_route_socket r_netlink_socket_perms; - -# lock files -allow apt_t apt_lock_t:dir manage_dir_perms; -allow apt_t apt_lock_t:file manage_file_perms; -files_lock_filetrans(apt_t, apt_lock_t, {dir file}) - -manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) -manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) -files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) - -manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -# Access /var/cache/apt files -manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) -files_var_filetrans(apt_t, apt_var_cache_t, dir) - -# Access /var/lib/apt files -manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) - -# log files -allow apt_t apt_var_log_t:file manage_file_perms; -logging_log_filetrans(apt_t, apt_var_log_t, file) - -kernel_read_system_state(apt_t) -kernel_read_kernel_sysctls(apt_t) - -# to launch dpkg-preconfigure -corecmd_exec_bin(apt_t) -corecmd_exec_shell(apt_t) - -corenet_all_recvfrom_unlabeled(apt_t) -corenet_all_recvfrom_netlabel(apt_t) -corenet_tcp_sendrecv_generic_if(apt_t) -corenet_udp_sendrecv_generic_if(apt_t) -corenet_tcp_sendrecv_generic_node(apt_t) -corenet_udp_sendrecv_generic_node(apt_t) -corenet_tcp_sendrecv_all_ports(apt_t) -corenet_udp_sendrecv_all_ports(apt_t) -# TODO: really allow all these? -corenet_tcp_bind_generic_node(apt_t) -corenet_udp_bind_generic_node(apt_t) -corenet_tcp_connect_all_ports(apt_t) -corenet_sendrecv_all_client_packets(apt_t) - -dev_read_urand(apt_t) - -domain_getattr_all_domains(apt_t) -domain_use_interactive_fds(apt_t) - -files_exec_usr_files(apt_t) -files_read_etc_files(apt_t) -files_read_etc_runtime_files(apt_t) - -fs_getattr_all_fs(apt_t) - -term_create_pty(apt_t, apt_devpts_t) -term_list_ptys(apt_t) -term_use_all_terms(apt_t) - -libs_exec_ld_so(apt_t) -libs_exec_lib_files(apt_t) - -logging_send_syslog_msg(apt_t) - -miscfiles_read_localization(apt_t) - -seutil_use_newrole_fds(apt_t) - -sysnet_read_config(apt_t) - -userdom_use_user_terminals(apt_t) - -# with boolean, for cron-apt and such? -#optional_policy(` -# cron_system_entry(apt_t,apt_exec_t) -#') - -optional_policy(` - # dpkg interaction - dpkg_read_db(apt_t) - dpkg_domtrans(apt_t) - dpkg_lock_db(apt_t) -') - -optional_policy(` - nis_use_ypbind(apt_t) -') - -optional_policy(` - rpm_read_db(apt_t) - rpm_domtrans(apt_t) -') - -optional_policy(` - unconfined_domain(apt_t) -') diff --git a/policy/modules/admin/backup.fc b/policy/modules/admin/backup.fc deleted file mode 100644 index 223b7f203..000000000 --- a/policy/modules/admin/backup.fc +++ /dev/null @@ -1,13 +0,0 @@ -# backup -# label programs that do backups to other files on disk (IE a cron job that -# calls tar) in backup_exec_t and label the directory for storing them as -# backup_store_t, Debian uses /var/backups - -#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0) - -ifdef(`distro_debian',` -/etc/cron.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0) -/etc/cron.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0) -') - -/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0) diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if deleted file mode 100644 index 1017b7aac..000000000 --- a/policy/modules/admin/backup.if +++ /dev/null @@ -1,45 +0,0 @@ -## System backup scripts - -######################################## -## -## Execute backup in the backup domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`backup_domtrans',` - gen_require(` - type backup_t, backup_exec_t; - ') - - domtrans_pattern($1, backup_exec_t, backup_t) -') - -######################################## -## -## Execute backup in the backup domain, and -## allow the specified role the backup domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`backup_run',` - gen_require(` - type backup_t; - ') - - backup_domtrans($1) - role $2 types backup_t; -') diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te deleted file mode 100644 index 0bfc9588b..000000000 --- a/policy/modules/admin/backup.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(backup, 1.5.0) - -######################################## -# -# Declarations -# - -type backup_t; -type backup_exec_t; -domain_type(backup_t) -domain_entry_file(backup_t, backup_exec_t) -role system_r types backup_t; - -type backup_store_t; -files_type(backup_store_t) - -######################################## -# -# Local policy -# - -allow backup_t self:capability dac_override; -allow backup_t self:process signal; -allow backup_t self:fifo_file rw_fifo_file_perms; -allow backup_t self:tcp_socket create_socket_perms; -allow backup_t self:udp_socket create_socket_perms; - -allow backup_t backup_store_t:file setattr; -manage_files_pattern(backup_t, backup_store_t, backup_store_t) -rw_files_pattern(backup_t, backup_store_t, backup_store_t) -read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t) - -kernel_read_system_state(backup_t) -kernel_read_kernel_sysctls(backup_t) - -corecmd_exec_bin(backup_t) -corecmd_exec_shell(backup_t) - -corenet_all_recvfrom_unlabeled(backup_t) -corenet_all_recvfrom_netlabel(backup_t) -corenet_tcp_sendrecv_generic_if(backup_t) -corenet_udp_sendrecv_generic_if(backup_t) -corenet_raw_sendrecv_generic_if(backup_t) -corenet_tcp_sendrecv_generic_node(backup_t) -corenet_udp_sendrecv_generic_node(backup_t) -corenet_raw_sendrecv_generic_node(backup_t) -corenet_tcp_sendrecv_all_ports(backup_t) -corenet_udp_sendrecv_all_ports(backup_t) -corenet_tcp_connect_all_ports(backup_t) -corenet_sendrecv_all_client_packets(backup_t) - -dev_getattr_all_blk_files(backup_t) -dev_getattr_all_chr_files(backup_t) -# for SSP -dev_read_urand(backup_t) - -domain_use_interactive_fds(backup_t) - -files_read_all_files(backup_t) -files_read_all_symlinks(backup_t) -files_getattr_all_pipes(backup_t) -files_getattr_all_sockets(backup_t) - -fs_getattr_xattr_fs(backup_t) -fs_list_all(backup_t) - -auth_read_shadow(backup_t) - -logging_send_syslog_msg(backup_t) - -sysnet_read_config(backup_t) - -userdom_use_user_terminals(backup_t) - -optional_policy(` - cron_system_entry(backup_t, backup_exec_t) -') - -optional_policy(` - hostname_exec(backup_t) -') - -optional_policy(` - nis_use_ypbind(backup_t) -') diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc deleted file mode 100644 index 642f67e0a..000000000 --- a/policy/modules/admin/brctl.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if deleted file mode 100644 index 2c2cdb621..000000000 --- a/policy/modules/admin/brctl.if +++ /dev/null @@ -1,20 +0,0 @@ -## Utilities for configuring the linux ethernet bridge - -######################################## -## -## Execute a domain transition to run brctl. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`brctl_domtrans',` - gen_require(` - type brctl_t, brctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, brctl_exec_t, brctl_t) -') diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te deleted file mode 100644 index 9a62a1d02..000000000 --- a/policy/modules/admin/brctl.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(brctl, 1.6.0) - -######################################## -# -# Declarations -# - -type brctl_t; -type brctl_exec_t; -init_system_domain(brctl_t, brctl_exec_t) - -######################################## -# -# brctl local policy -# - -allow brctl_t self:capability net_admin; -allow brctl_t self:fifo_file rw_fifo_file_perms; -allow brctl_t self:unix_stream_socket create_stream_socket_perms; -allow brctl_t self:unix_dgram_socket create_socket_perms; -allow brctl_t self:tcp_socket create_socket_perms; - -kernel_request_load_module(brctl_t) -kernel_read_network_state(brctl_t) -kernel_read_sysctl(brctl_t) - -corenet_rw_tun_tap_dev(brctl_t) - -dev_rw_sysfs(brctl_t) -dev_write_sysfs_dirs(brctl_t) - -# Init script handling -domain_use_interactive_fds(brctl_t) - -files_read_etc_files(brctl_t) - -term_dontaudit_use_console(brctl_t) - -miscfiles_read_localization(brctl_t) - -optional_policy(` - xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) -') diff --git a/policy/modules/admin/certwatch.fc b/policy/modules/admin/certwatch.fc deleted file mode 100644 index b8a3414bb..000000000 --- a/policy/modules/admin/certwatch.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0) diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if deleted file mode 100644 index 953451a44..000000000 --- a/policy/modules/admin/certwatch.if +++ /dev/null @@ -1,78 +0,0 @@ -## Digital Certificate Tracking - -######################################## -## -## Domain transition to certwatch. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certwatch_domtrans',` - gen_require(` - type certwatch_exec_t, certwatch_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, certwatch_exec_t, certwatch_t) -') - -######################################## -## -## Execute certwatch in the certwatch domain, and -## allow the specified role the certwatch domain, -## and use the caller's terminal. Has a sigchld -## backchannel. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`certwatch_run',` - gen_require(` - type certwatch_t; - ') - - certwatch_domtrans($1) - role $2 types certwatch_t; -') - -######################################## -## -## Execute certwatch in the certwatch domain, and -## allow the specified role the certwatch domain, -## and use the caller's terminal. Has a sigchld -## backchannel. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -## -## The type of the terminal allow the certwatch domain to use. -## -## -## -# -interface(`certwatach_run',` - refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.') - certwatch_run($*) -') diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te deleted file mode 100644 index e07cef5d8..000000000 --- a/policy/modules/admin/certwatch.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(certwatch, 1.7.0) - -######################################## -# -# Declarations -# - -type certwatch_t; -type certwatch_exec_t; -application_domain(certwatch_t, certwatch_exec_t) -role system_r types certwatch_t; - -######################################## -# -# Local policy -# -allow certwatch_t self:capability sys_nice; -allow certwatch_t self:process { setsched getsched }; - -dev_read_urand(certwatch_t) - -files_read_etc_files(certwatch_t) -files_read_usr_files(certwatch_t) -files_read_usr_symlinks(certwatch_t) -files_list_tmp(certwatch_t) - -fs_list_inotifyfs(certwatch_t) - -auth_manage_cache(certwatch_t) -auth_var_filetrans_cache(certwatch_t) - -logging_send_syslog_msg(certwatch_t) - -miscfiles_read_all_certs(certwatch_t) -miscfiles_read_localization(certwatch_t) - -userdom_use_user_terminals(certwatch_t) -userdom_dontaudit_list_user_home_dirs(certwatch_t) - -optional_policy(` - apache_exec_modules(certwatch_t) - apache_read_config(certwatch_t) -') - -optional_policy(` - cron_system_entry(certwatch_t, certwatch_exec_t) -') - -optional_policy(` - pcscd_domtrans(certwatch_t) - pcscd_stream_connect(certwatch_t) - pcscd_read_pub_files(certwatch_t) -') diff --git a/policy/modules/admin/ddcprobe.fc b/policy/modules/admin/ddcprobe.fc deleted file mode 100644 index 49e6a2566..000000000 --- a/policy/modules/admin/ddcprobe.fc +++ /dev/null @@ -1,4 +0,0 @@ -# -# /usr -# -/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0) diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if deleted file mode 100644 index 9868652f3..000000000 --- a/policy/modules/admin/ddcprobe.if +++ /dev/null @@ -1,45 +0,0 @@ -## ddcprobe retrieves monitor and graphics card information - -######################################## -## -## Execute ddcprobe in the ddcprobe domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ddcprobe_domtrans',` - gen_require(` - type ddcprobe_t, ddcprobe_exec_t; - ') - - domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) -') - -######################################## -## -## Execute ddcprobe in the ddcprobe domain, and -## allow the specified role the ddcprobe domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role to be authenticated for ddcprobe domain. -## -## -## -# -interface(`ddcprobe_run',` - gen_require(` - type ddcprobe_t; - ') - - ddcprobe_domtrans($1) - role $2 types ddcprobe_t; -') diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te deleted file mode 100644 index 5e062bc14..000000000 --- a/policy/modules/admin/ddcprobe.te +++ /dev/null @@ -1,51 +0,0 @@ -policy_module(ddcprobe, 1.2.0) - -######################################## -# -# Declarations -# - -type ddcprobe_t; -type ddcprobe_exec_t; -application_domain(ddcprobe_t, ddcprobe_exec_t) -role system_r types ddcprobe_t; - -######################################## -# -# Local policy -# - -allow ddcprobe_t self:capability { sys_rawio sys_admin }; -allow ddcprobe_t self:process execmem; - -kernel_read_system_state(ddcprobe_t) -kernel_read_kernel_sysctls(ddcprobe_t) -kernel_change_ring_buffer_level(ddcprobe_t) - -files_search_kernel_modules(ddcprobe_t) - -corecmd_list_bin(ddcprobe_t) -corecmd_exec_bin(ddcprobe_t) - -dev_read_urand(ddcprobe_t) -dev_read_raw_memory(ddcprobe_t) -dev_wx_raw_memory(ddcprobe_t) - -files_read_etc_files(ddcprobe_t) -files_read_etc_runtime_files(ddcprobe_t) -files_read_usr_files(ddcprobe_t) - -term_use_all_ttys(ddcprobe_t) -term_use_all_ptys(ddcprobe_t) - -libs_read_lib_files(ddcprobe_t) - -miscfiles_read_localization(ddcprobe_t) - -modutils_read_module_deps(ddcprobe_t) - -userdom_use_user_terminals(ddcprobe_t) -userdom_use_all_users_fds(ddcprobe_t) - -#reh why? this does not seem even necessary to function properly -kudzu_getattr_exec_files(ddcprobe_t) diff --git a/policy/modules/admin/dmidecode.fc b/policy/modules/admin/dmidecode.fc deleted file mode 100644 index 016e6b888..000000000 --- a/policy/modules/admin/dmidecode.fc +++ /dev/null @@ -1,4 +0,0 @@ - -/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) -/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0) -/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0) diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if deleted file mode 100644 index 4bf435c9e..000000000 --- a/policy/modules/admin/dmidecode.if +++ /dev/null @@ -1,50 +0,0 @@ -## Decode DMI data for x86/ia64 bioses. - -######################################## -## -## Execute dmidecode in the dmidecode domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dmidecode_domtrans',` - gen_require(` - type dmidecode_t, dmidecode_exec_t; - ') - - domain_auto_trans($1, dmidecode_exec_t, dmidecode_t) - - allow $1 dmidecode_t:fd use; - allow dmidecode_t $1:fd use; - allow dmidecode_t $1:fifo_file rw_file_perms; - allow dmidecode_t $1:process sigchld; -') - -######################################## -## -## Execute dmidecode in the dmidecode domain, and -## allow the specified role the dmidecode domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dmidecode_run',` - gen_require(` - type dmidecode_t; - ') - - dmidecode_domtrans($1) - role $2 types dmidecode_t; -') diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te deleted file mode 100644 index d6356b539..000000000 --- a/policy/modules/admin/dmidecode.te +++ /dev/null @@ -1,30 +0,0 @@ -policy_module(dmidecode, 1.4.0) - -######################################## -# -# Declarations -# - -type dmidecode_t; -type dmidecode_exec_t; -application_domain(dmidecode_t, dmidecode_exec_t) -role system_r types dmidecode_t; - -######################################## -# -# Local policy -# - -allow dmidecode_t self:capability sys_rawio; - -dev_read_sysfs(dmidecode_t) -# Allow dmidecode to read /dev/mem -dev_read_raw_memory(dmidecode_t) - -mls_file_read_all_levels(dmidecode_t) - -files_list_usr(dmidecode_t) - -locallogin_use_fds(dmidecode_t) - -userdom_use_user_terminals(dmidecode_t) diff --git a/policy/modules/admin/dpkg.fc b/policy/modules/admin/dpkg.fc deleted file mode 100644 index 6d0f9eeaa..000000000 --- a/policy/modules/admin/dpkg.fc +++ /dev/null @@ -1,12 +0,0 @@ -# Debian package manager -/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) -/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) -# not sure if dselect should be in apt instead? -/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) - -/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) -# lockfile is treated specially, since used by apt, too -/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) - -/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) -/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if deleted file mode 100644 index 931717166..000000000 --- a/policy/modules/admin/dpkg.if +++ /dev/null @@ -1,226 +0,0 @@ -## Policy for the Debian package manager. -# TODO: need debconf policy -# TODO: need install-menu policy - -######################################## -## -## Execute dpkg programs in the dpkg domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dpkg_domtrans',` - gen_require(` - type dpkg_t, dpkg_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, dpkg_exec_t, dpkg_t) -') - -######################################## -## -## Execute dpkg_script programs in the dpkg_script domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dpkg_domtrans_script',` - gen_require(` - type dpkg_script_t; - ') - - # transition to dpkg script: - corecmd_shell_domtrans($1, dpkg_script_t) - allow dpkg_script_t $1:fd use; - allow dpkg_script_t $1:fifo_file rw_file_perms; - allow dpkg_script_t $1:process sigchld; -') - -######################################## -## -## Execute dpkg programs in the dpkg domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the dpkg domain. -## -## -## -# -interface(`dpkg_run',` - gen_require(` - type dpkg_t, dpkg_script_t; - ') - - dpkg_domtrans($1) - role $2 types dpkg_t; - role $2 types dpkg_script_t; - seutil_run_loadpolicy(dpkg_script_t, $2) -') - -######################################## -## -## Inherit and use file descriptors from dpkg. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_use_fds',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fd use; -') - -######################################## -## -## Read from an unnamed dpkg pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_read_pipes',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Read and write an unnamed dpkg pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_rw_pipes',` - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Inherit and use file descriptors from dpkg scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_use_script_fds',` - gen_require(` - type dpkg_script_t; - ') - - allow $1 dpkg_script_t:fd use; -') - -######################################## -## -## Read the dpkg package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_read_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete the dpkg package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_manage_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete the dpkg package database. -## -## -## -## Domain to not audit. -## -## -# -interface(`dpkg_dontaudit_manage_db',` - gen_require(` - type dpkg_var_lib_t; - ') - - dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; - dontaudit $1 dpkg_var_lib_t:file manage_file_perms; - dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; -') - -######################################## -## -## Lock the dpkg package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`dpkg_lock_db',` - gen_require(` - type dpkg_lock_t, dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - allow $1 dpkg_lock_t:file manage_file_perms; -') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te deleted file mode 100644 index 633d2fcf9..000000000 --- a/policy/modules/admin/dpkg.te +++ /dev/null @@ -1,338 +0,0 @@ -policy_module(dpkg, 1.8.0) - -######################################## -# -# Declarations -# - -type dpkg_t; -type dpkg_exec_t; -# dpkg can start/stop services -init_system_domain(dpkg_t, dpkg_exec_t) -# dpkg can change file labels, roles, IO -domain_obj_id_change_exemption(dpkg_t) -domain_role_change_exemption(dpkg_t) -domain_system_change_exemption(dpkg_t) -domain_interactive_fd(dpkg_t) -role system_r types dpkg_t; - -# lockfile -type dpkg_lock_t; -files_type(dpkg_lock_t) - -type dpkg_tmp_t; -files_tmp_file(dpkg_tmp_t) - -type dpkg_tmpfs_t; -files_tmpfs_file(dpkg_tmpfs_t) - -# status files -type dpkg_var_lib_t alias var_lib_dpkg_t; -files_type(dpkg_var_lib_t) - -# package scripts -type dpkg_script_t; -domain_type(dpkg_script_t) -domain_entry_file(dpkg_t, dpkg_var_lib_t) -corecmd_shell_entry_type(dpkg_script_t) -domain_obj_id_change_exemption(dpkg_script_t) -domain_system_change_exemption(dpkg_script_t) -domain_interactive_fd(dpkg_script_t) -role system_r types dpkg_script_t; - -type dpkg_script_tmp_t; -files_tmp_file(dpkg_script_tmp_t) - -type dpkg_script_tmpfs_t; -files_tmpfs_file(dpkg_script_tmpfs_t) - -######################################## -# -# dpkg Local policy -# - -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; -allow dpkg_t self:process { setpgid fork getsched setfscreate }; -allow dpkg_t self:fd use; -allow dpkg_t self:fifo_file rw_fifo_file_perms; -allow dpkg_t self:unix_dgram_socket create_socket_perms; -allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; -allow dpkg_t self:unix_dgram_socket sendto; -allow dpkg_t self:unix_stream_socket connectto; -allow dpkg_t self:udp_socket { connect create_socket_perms }; -allow dpkg_t self:tcp_socket create_stream_socket_perms; -allow dpkg_t self:shm create_shm_perms; -allow dpkg_t self:sem create_sem_perms; -allow dpkg_t self:msgq create_msgq_perms; -allow dpkg_t self:msg { send receive }; - -allow dpkg_t dpkg_lock_t:file manage_file_perms; - -manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) -manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) -files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) - -manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) -fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -# Access /var/lib/dpkg files -manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) -files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) - -kernel_read_system_state(dpkg_t) -kernel_read_kernel_sysctls(dpkg_t) - -corecmd_exec_all_executables(dpkg_t) - -# TODO: do we really need all networking? -corenet_all_recvfrom_unlabeled(dpkg_t) -corenet_all_recvfrom_netlabel(dpkg_t) -corenet_tcp_sendrecv_generic_if(dpkg_t) -corenet_raw_sendrecv_generic_if(dpkg_t) -corenet_udp_sendrecv_generic_if(dpkg_t) -corenet_tcp_sendrecv_generic_node(dpkg_t) -corenet_raw_sendrecv_generic_node(dpkg_t) -corenet_udp_sendrecv_generic_node(dpkg_t) -corenet_tcp_sendrecv_all_ports(dpkg_t) -corenet_udp_sendrecv_all_ports(dpkg_t) -corenet_tcp_connect_all_ports(dpkg_t) -corenet_sendrecv_all_client_packets(dpkg_t) - -dev_list_sysfs(dpkg_t) -dev_list_usbfs(dpkg_t) -dev_read_urand(dpkg_t) -#devices_manage_all_device_types(dpkg_t) - -domain_read_all_domains_state(dpkg_t) -domain_getattr_all_domains(dpkg_t) -domain_dontaudit_ptrace_all_domains(dpkg_t) -domain_use_interactive_fds(dpkg_t) -domain_dontaudit_getattr_all_pipes(dpkg_t) -domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) -domain_dontaudit_getattr_all_udp_sockets(dpkg_t) -domain_dontaudit_getattr_all_packet_sockets(dpkg_t) -domain_dontaudit_getattr_all_raw_sockets(dpkg_t) -domain_dontaudit_getattr_all_stream_sockets(dpkg_t) -domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) - -fs_manage_nfs_dirs(dpkg_t) -fs_manage_nfs_files(dpkg_t) -fs_manage_nfs_symlinks(dpkg_t) -fs_getattr_all_fs(dpkg_t) -fs_search_auto_mountpoints(dpkg_t) - -mls_file_read_all_levels(dpkg_t) -mls_file_write_all_levels(dpkg_t) -mls_file_upgrade(dpkg_t) - -selinux_get_fs_mount(dpkg_t) -selinux_validate_context(dpkg_t) -selinux_compute_access_vector(dpkg_t) -selinux_compute_create_context(dpkg_t) -selinux_compute_relabel_context(dpkg_t) -selinux_compute_user_contexts(dpkg_t) - -storage_raw_write_fixed_disk(dpkg_t) -# for installing kernel packages -storage_raw_read_fixed_disk(dpkg_t) - -auth_relabel_all_files_except_auth_files(dpkg_t) -auth_manage_all_files_except_auth_files(dpkg_t) -auth_dontaudit_read_shadow(dpkg_t) - -files_exec_etc_files(dpkg_t) - -init_domtrans_script(dpkg_t) -init_use_script_ptys(dpkg_t) - -libs_exec_ld_so(dpkg_t) -libs_exec_lib_files(dpkg_t) -libs_domtrans_ldconfig(dpkg_t) - -logging_send_syslog_msg(dpkg_t) - -# allow compiling and loading new policy -seutil_manage_src_policy(dpkg_t) -seutil_manage_bin_policy(dpkg_t) - -sysnet_read_config(dpkg_t) - -userdom_use_user_terminals(dpkg_t) -userdom_use_unpriv_users_fds(dpkg_t) - -# transition to dpkg script: -dpkg_domtrans_script(dpkg_t) -# since the scripts aren't labeled correctly yet... -allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; - -optional_policy(` - apt_use_ptys(dpkg_t) -') - -# TODO: allow? -#optional_policy(` -# cron_system_entry(dpkg_t,dpkg_exec_t) -#') - -optional_policy(` - nis_use_ypbind(dpkg_t) -') - -optional_policy(` - unconfined_domain(dpkg_t) -') - -# TODO: the following was copied from dpkg_script_t, and could probably -# be removed again when dpkg_script_t is actually used... -domain_signal_all_domains(dpkg_t) -domain_signull_all_domains(dpkg_t) -files_read_etc_runtime_files(dpkg_t) -files_exec_usr_files(dpkg_t) -miscfiles_read_localization(dpkg_t) -modutils_domtrans_depmod(dpkg_t) -modutils_domtrans_insmod(dpkg_t) -seutil_domtrans_loadpolicy(dpkg_t) -seutil_domtrans_setfiles(dpkg_t) -userdom_use_all_users_fds(dpkg_t) -optional_policy(` - mta_send_mail(dpkg_t) -') -optional_policy(` - usermanage_domtrans_groupadd(dpkg_t) - usermanage_domtrans_useradd(dpkg_t) -') - -######################################## -# -# dpkg-script Local policy -# -# TODO: actually use dpkg_script_t - -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow dpkg_script_t self:fd use; -allow dpkg_script_t self:fifo_file rw_fifo_file_perms; -allow dpkg_script_t self:unix_dgram_socket create_socket_perms; -allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; -allow dpkg_script_t self:unix_dgram_socket sendto; -allow dpkg_script_t self:unix_stream_socket connectto; -allow dpkg_script_t self:shm create_shm_perms; -allow dpkg_script_t self:sem create_sem_perms; -allow dpkg_script_t self:msgq create_msgq_perms; -allow dpkg_script_t self:msg { send receive }; - -allow dpkg_script_t dpkg_tmp_t:file read_file_perms; - -allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; -allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; -files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) - -allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(dpkg_script_t) -kernel_read_system_state(dpkg_script_t) - -corecmd_exec_all_executables(dpkg_script_t) - -dev_list_sysfs(dpkg_script_t) -# ideally we would not need this -dev_manage_generic_blk_files(dpkg_script_t) -dev_manage_generic_chr_files(dpkg_script_t) -dev_manage_all_blk_files(dpkg_script_t) -dev_manage_all_chr_files(dpkg_script_t) - -domain_read_all_domains_state(dpkg_script_t) -domain_getattr_all_domains(dpkg_script_t) -domain_dontaudit_ptrace_all_domains(dpkg_script_t) -domain_use_interactive_fds(dpkg_script_t) -domain_signal_all_domains(dpkg_script_t) -domain_signull_all_domains(dpkg_script_t) - -files_exec_etc_files(dpkg_script_t) -files_read_etc_runtime_files(dpkg_script_t) -files_exec_usr_files(dpkg_script_t) - -fs_manage_nfs_files(dpkg_script_t) -fs_getattr_nfs(dpkg_script_t) -# why is this not using mount? -fs_getattr_xattr_fs(dpkg_script_t) -fs_mount_xattr_fs(dpkg_script_t) -fs_unmount_xattr_fs(dpkg_script_t) -fs_search_auto_mountpoints(dpkg_script_t) - -mls_file_read_all_levels(dpkg_script_t) -mls_file_write_all_levels(dpkg_script_t) - -selinux_get_fs_mount(dpkg_script_t) -selinux_validate_context(dpkg_script_t) -selinux_compute_access_vector(dpkg_script_t) -selinux_compute_create_context(dpkg_script_t) -selinux_compute_relabel_context(dpkg_script_t) -selinux_compute_user_contexts(dpkg_script_t) - -storage_raw_read_fixed_disk(dpkg_script_t) -storage_raw_write_fixed_disk(dpkg_script_t) - -term_use_all_terms(dpkg_script_t) - -auth_dontaudit_getattr_shadow(dpkg_script_t) -# ideally we would not need this -auth_manage_all_files_except_auth_files(dpkg_script_t) - -init_domtrans_script(dpkg_script_t) -init_use_script_fds(dpkg_script_t) - -libs_exec_ld_so(dpkg_script_t) -libs_exec_lib_files(dpkg_script_t) -libs_domtrans_ldconfig(dpkg_script_t) - -logging_send_syslog_msg(dpkg_script_t) - -miscfiles_read_localization(dpkg_script_t) - -modutils_domtrans_depmod(dpkg_script_t) -modutils_domtrans_insmod(dpkg_script_t) - -seutil_domtrans_loadpolicy(dpkg_script_t) -seutil_domtrans_setfiles(dpkg_script_t) - -userdom_use_all_users_fds(dpkg_script_t) - -tunable_policy(`allow_execmem',` - allow dpkg_script_t self:process execmem; -') - -optional_policy(` - apt_rw_pipes(dpkg_script_t) - apt_use_fds(dpkg_script_t) -') - -optional_policy(` - bootloader_domtrans(dpkg_script_t) -') - -optional_policy(` - mta_send_mail(dpkg_script_t) -') - -optional_policy(` - nis_use_ypbind(dpkg_script_t) -') - -optional_policy(` - unconfined_domain(dpkg_script_t) -') - -optional_policy(` - usermanage_domtrans_groupadd(dpkg_script_t) - usermanage_domtrans_useradd(dpkg_script_t) -') diff --git a/policy/modules/admin/firstboot.fc b/policy/modules/admin/firstboot.fc deleted file mode 100644 index ba614e457..000000000 --- a/policy/modules/admin/firstboot.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) - -/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if deleted file mode 100644 index 8fa451ccc..000000000 --- a/policy/modules/admin/firstboot.if +++ /dev/null @@ -1,157 +0,0 @@ -## -## Final system configuration run during the first boot -## after installation of Red Hat/Fedora systems. -## - -######################################## -## -## Execute firstboot in the firstboot domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`firstboot_domtrans',` - gen_require(` - type firstboot_t, firstboot_exec_t; - ') - - domtrans_pattern($1, firstboot_exec_t, firstboot_t) -') - -######################################## -## -## Execute firstboot in the firstboot domain, and -## allow the specified role the firstboot domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`firstboot_run',` - gen_require(` - type firstboot_t; - ') - - firstboot_domtrans($1) - role $2 types firstboot_t; -') - -######################################## -## -## Inherit and use a file descriptor from firstboot. -## -## -## -## Domain allowed access. -## -## -# -interface(`firstboot_use_fds',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit a -## file descriptor from firstboot. -## -## -## -## Domain to not audit. -## -## -# -interface(`firstboot_dontaudit_use_fds',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fd use; -') - -######################################## -## -## Write to a firstboot unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`firstboot_write_pipes',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file write; -') - -######################################## -## -## Read and Write to a firstboot unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`firstboot_rw_pipes',` - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file { read write }; -') - -######################################## -## -## Do not audit attemps to read and write to a firstboot unnamed pipe. -## -## -## -## Domain to not audit. -## -## -# -interface(`firstboot_dontaudit_rw_pipes',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fifo_file { read write }; -') - -######################################## -## -## Do not audit attemps to read and write to a firstboot -## unix domain stream socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`firstboot_dontaudit_rw_stream_sockets',` - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:unix_stream_socket { read write }; -') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te deleted file mode 100644 index c4d899851..000000000 --- a/policy/modules/admin/firstboot.te +++ /dev/null @@ -1,135 +0,0 @@ -policy_module(firstboot, 1.12.0) - -gen_require(` - class passwd rootok; -') - -######################################## -# -# Declarations -# - -type firstboot_t; -type firstboot_exec_t; -init_system_domain(firstboot_t, firstboot_exec_t) -domain_obj_id_change_exemption(firstboot_t) -domain_subj_id_change_exemption(firstboot_t) -role system_r types firstboot_t; - -type firstboot_etc_t; -files_config_file(firstboot_etc_t) - -######################################## -# -# Local policy -# - -allow firstboot_t self:capability { dac_override setgid }; -allow firstboot_t self:process setfscreate; -allow firstboot_t self:fifo_file rw_fifo_file_perms; -allow firstboot_t self:tcp_socket create_stream_socket_perms; -allow firstboot_t self:unix_stream_socket { connect create }; -allow firstboot_t self:passwd rootok; - -allow firstboot_t firstboot_etc_t:file read_file_perms; - -kernel_read_system_state(firstboot_t) -kernel_read_kernel_sysctls(firstboot_t) - -corenet_all_recvfrom_unlabeled(firstboot_t) -corenet_all_recvfrom_netlabel(firstboot_t) -corenet_tcp_sendrecv_generic_if(firstboot_t) -corenet_tcp_sendrecv_generic_node(firstboot_t) -corenet_tcp_sendrecv_all_ports(firstboot_t) - -dev_read_urand(firstboot_t) - -selinux_get_fs_mount(firstboot_t) -selinux_validate_context(firstboot_t) -selinux_compute_access_vector(firstboot_t) -selinux_compute_create_context(firstboot_t) -selinux_compute_relabel_context(firstboot_t) -selinux_compute_user_contexts(firstboot_t) - -auth_dontaudit_getattr_shadow(firstboot_t) - -corecmd_exec_all_executables(firstboot_t) - -files_exec_etc_files(firstboot_t) -files_manage_etc_files(firstboot_t) -files_manage_etc_runtime_files(firstboot_t) -files_read_usr_files(firstboot_t) -files_manage_var_dirs(firstboot_t) -files_manage_var_files(firstboot_t) -files_manage_var_symlinks(firstboot_t) - -init_domtrans_script(firstboot_t) -init_rw_utmp(firstboot_t) - -libs_exec_ld_so(firstboot_t) -libs_exec_lib_files(firstboot_t) - -locallogin_use_fds(firstboot_t) - -logging_send_syslog_msg(firstboot_t) - -miscfiles_read_localization(firstboot_t) - -modutils_domtrans_insmod(firstboot_t) -modutils_domtrans_depmod(firstboot_t) -modutils_read_module_config(firstboot_t) -modutils_read_module_deps(firstboot_t) - -userdom_use_user_terminals(firstboot_t) -# Add/remove user home directories -userdom_manage_user_home_content_dirs(firstboot_t) -userdom_manage_user_home_content_files(firstboot_t) -userdom_manage_user_home_content_symlinks(firstboot_t) -userdom_manage_user_home_content_pipes(firstboot_t) -userdom_manage_user_home_content_sockets(firstboot_t) -userdom_home_filetrans_user_home_dir(firstboot_t) -userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - consoletype_domtrans(firstboot_t) -') - -optional_policy(` - dbus_system_bus_client(firstboot_t) - - optional_policy(` - hal_dbus_chat(firstboot_t) - ') -') - -optional_policy(` - nis_use_ypbind(firstboot_t) -') - -optional_policy(` - samba_rw_config(firstboot_t) -') - -optional_policy(` - unconfined_domtrans(firstboot_t) - # The big hammer - unconfined_domain(firstboot_t) -') - -optional_policy(` - usermanage_domtrans_chfn(firstboot_t) - usermanage_domtrans_groupadd(firstboot_t) - usermanage_domtrans_passwd(firstboot_t) - usermanage_domtrans_useradd(firstboot_t) - usermanage_domtrans_admin_passwd(firstboot_t) -') - -optional_policy(` - gnome_manage_config(firstboot_t) -') - -optional_policy(` - xserver_domtrans(firstboot_t) - xserver_rw_shm(firstboot_t) - xserver_unconfined(firstboot_t) -') diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc deleted file mode 100644 index c66934fb0..000000000 --- a/policy/modules/admin/kdump.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) -/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) - -/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if deleted file mode 100644 index 4198ff5f9..000000000 --- a/policy/modules/admin/kdump.if +++ /dev/null @@ -1,111 +0,0 @@ -## Kernel crash dumping mechanism - -###################################### -## -## Execute kdump in the kdump domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kdump_domtrans',` - gen_require(` - type kdump_t, kdump_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kdump_exec_t, kdump_t) -') - -####################################### -## -## Execute kdump in the kdump domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kdump_initrc_domtrans',` - gen_require(` - type kdump_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) -') - -##################################### -## -## Read kdump configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`kdump_read_config',` - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file read_file_perms; -') - -#################################### -## -## Manage kdump configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`kdump_manage_config',` - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file manage_file_perms; -') - -###################################### -## -## All of the rules required to administrate -## an kdump environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the kdump domain. -## -## -## -# -interface(`kdump_admin',` - gen_require(` - type kdump_t, kdump_etc_t; - type kdump_initrc_exec_t; - ') - - allow $1 kdump_t:process { ptrace signal_perms }; - ps_process_pattern($1, kdump_t) - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kdump_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, kdump_etc_t) -') diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te deleted file mode 100644 index b29d8e203..000000000 --- a/policy/modules/admin/kdump.te +++ /dev/null @@ -1,38 +0,0 @@ -policy_module(kdump, 1.2.0) - -####################################### -# -# Declarations -# - -type kdump_t; -type kdump_exec_t; -init_system_domain(kdump_t, kdump_exec_t) - -type kdump_etc_t; -files_config_file(kdump_etc_t) - -type kdump_initrc_exec_t; -init_script_file(kdump_initrc_exec_t) - -##################################### -# -# kdump local policy -# - -allow kdump_t self:capability { sys_boot dac_override }; - -read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) - -files_read_etc_runtime_files(kdump_t) -files_read_kernel_img(kdump_t) - -kernel_read_system_state(kdump_t) -kernel_read_core_if(kdump_t) -kernel_read_debugfs(kdump_t) -kernel_request_load_module(kdump_t) - -dev_read_framebuffer(kdump_t) -dev_read_sysfs(kdump_t) - -term_use_console(kdump_t) diff --git a/policy/modules/admin/kismet.fc b/policy/modules/admin/kismet.fc deleted file mode 100644 index dae60e5ee..000000000 --- a/policy/modules/admin/kismet.fc +++ /dev/null @@ -1,6 +0,0 @@ -HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) - -/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) -/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) -/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) -/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if deleted file mode 100644 index c18c920c2..000000000 --- a/policy/modules/admin/kismet.if +++ /dev/null @@ -1,247 +0,0 @@ -## Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. - -######################################## -## -## Execute a domain transition to run kismet. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kismet_domtrans',` - gen_require(` - type kismet_t, kismet_exec_t; - ') - - domtrans_pattern($1, kismet_exec_t, kismet_t) - allow kismet_t $1:process signull; -') - -######################################## -## -## Execute kismet in the kismet domain, and -## allow the specified role the kismet domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`kismet_run',` - gen_require(` - type kismet_t; - ') - - kismet_domtrans($1) - role $2 types kismet_t; -') - -######################################## -## -## Read kismet PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_read_pid_files',` - gen_require(` - type kismet_var_run_t; - ') - - allow $1 kismet_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## -## Manage kismet var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_pid_files',` - gen_require(` - type kismet_var_run_t; - ') - - allow $1 kismet_var_run_t:file manage_file_perms; - files_search_pids($1) -') - -######################################## -## -## Search kismet lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_search_lib',` - gen_require(` - type kismet_var_lib_t; - ') - - allow $1 kismet_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read kismet lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_read_lib_files',` - gen_require(` - type kismet_var_lib_t; - ') - - allow $1 kismet_var_lib_t:file read_file_perms; - allow $1 kismet_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Create, read, write, and delete -## kismet lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_lib_files',` - gen_require(` - type kismet_var_lib_t; - ') - - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Manage kismet var_lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_lib',` - gen_require(` - type kismet_var_lib_t; - ') - - manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) -') - -######################################## -## -## Allow the specified domain to read kismet's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kismet_read_log',` - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, kismet_log_t, kismet_log_t) -') - -######################################## -## -## Allow the specified domain to append -## kismet log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_append_log',` - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, kismet_log_t, kismet_log_t) -') - -######################################## -## -## Allow domain to manage kismet log files -## -## -## -## Domain allowed access. -## -## -# -interface(`kismet_manage_log',` - gen_require(` - type kismet_log_t; - ') - - manage_dirs_pattern($1, kismet_log_t, kismet_log_t) - manage_files_pattern($1, kismet_log_t, kismet_log_t) - manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) - logging_search_logs($1) -') - -######################################## -## -## All of the rules required to administrate an kismet environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kismet_admin',` - gen_require(` - type kismet_t; - ') - - ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; - - kismet_manage_pid_files($1) - kismet_manage_lib($1) - kismet_manage_log($1) -') diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te deleted file mode 100644 index 9dd6880ea..000000000 --- a/policy/modules/admin/kismet.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(kismet, 1.6.0) - -######################################## -# -# Declarations -# - -type kismet_t; -type kismet_exec_t; -application_domain(kismet_t, kismet_exec_t) -role system_r types kismet_t; - -type kismet_home_t; -userdom_user_home_content(kismet_home_t) - -type kismet_log_t; -logging_log_file(kismet_log_t) - -type kismet_tmp_t; -files_tmp_file(kismet_tmp_t) - -type kismet_tmpfs_t; -files_tmp_file(kismet_tmpfs_t) - -type kismet_var_lib_t; -files_type(kismet_var_lib_t) - -type kismet_var_run_t; -files_pid_file(kismet_var_run_t) - -######################################## -# -# kismet local policy -# - -allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; -allow kismet_t self:process signal_perms; -allow kismet_t self:fifo_file rw_file_perms; -allow kismet_t self:packet_socket create_socket_perms; -allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; -allow kismet_t self:unix_stream_socket create_stream_socket_perms; -allow kismet_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) -manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) -userdom_search_user_home_dirs(kismet_t) - -manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -allow kismet_t kismet_log_t:dir setattr; -logging_log_filetrans(kismet_t, kismet_log_t, { file dir }) - -manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) - -manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file }) - -allow kismet_t kismet_var_lib_t:file manage_file_perms; -allow kismet_t kismet_var_lib_t:dir manage_dir_perms; -files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) - -allow kismet_t kismet_var_run_t:file manage_file_perms; -allow kismet_t kismet_var_run_t:dir manage_dir_perms; -files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) - -kernel_search_debugfs(kismet_t) -kernel_read_system_state(kismet_t) -kernel_read_network_state(kismet_t) - -corecmd_exec_bin(kismet_t) - -corenet_all_recvfrom_unlabeled(kismet_t) -corenet_all_recvfrom_netlabel(kismet_t) -corenet_tcp_sendrecv_generic_if(kismet_t) -corenet_tcp_sendrecv_generic_node(kismet_t) -corenet_tcp_sendrecv_all_ports(kismet_t) -corenet_tcp_bind_generic_node(kismet_t) -corenet_tcp_bind_kismet_port(kismet_t) -corenet_tcp_connect_kismet_port(kismet_t) -corenet_tcp_connect_pulseaudio_port(kismet_t) - -auth_use_nsswitch(kismet_t) - -files_read_etc_files(kismet_t) -files_read_usr_files(kismet_t) - -miscfiles_read_localization(kismet_t) - -userdom_use_user_terminals(kismet_t) -userdom_read_user_tmpfs_files(kismet_t) - -optional_policy(` - dbus_system_bus_client(kismet_t) - - networkmanager_dbus_chat(kismet_t) -') diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc deleted file mode 100644 index dd88f746a..000000000 --- a/policy/modules/admin/kudzu.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) -/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) - -/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if deleted file mode 100644 index 65bcaffa1..000000000 --- a/policy/modules/admin/kudzu.if +++ /dev/null @@ -1,64 +0,0 @@ -## Hardware detection and configuration tools - -######################################## -## -## Execute kudzu in the kudzu domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kudzu_domtrans',` - gen_require(` - type kudzu_t, kudzu_exec_t; - ') - - domtrans_pattern($1, kudzu_exec_t, kudzu_t) -') - -######################################## -## -## Execute kudzu in the kudzu domain, and -## allow the specified role the kudzu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`kudzu_run',` - gen_require(` - type kudzu_t; - ') - - kudzu_domtrans($1) - role $2 types kudzu_t; -') - -######################################## -## -## Get attributes of kudzu executable. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for ddcprobe -interface(`kudzu_getattr_exec_files',` - gen_require(` - type kudzu_exec_t; - ') - - allow $1 kudzu_exec_t:file getattr; -') diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te deleted file mode 100644 index 4f7bd3c3e..000000000 --- a/policy/modules/admin/kudzu.te +++ /dev/null @@ -1,145 +0,0 @@ -policy_module(kudzu, 1.8.0) - -######################################## -# -# Declarations -# - -type kudzu_t; -type kudzu_exec_t; -init_system_domain(kudzu_t, kudzu_exec_t) - -type kudzu_tmp_t; -files_tmp_file(kudzu_tmp_t) - -type kudzu_var_run_t; -files_pid_file(kudzu_var_run_t) - -######################################## -# -# Local policy -# - -allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; -dontaudit kudzu_t self:capability sys_tty_config; -allow kudzu_t self:process { signal_perms execmem }; -allow kudzu_t self:fifo_file rw_fifo_file_perms; -allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow kudzu_t self:unix_dgram_socket create_socket_perms; -allow kudzu_t self:udp_socket { create ioctl }; - -manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) -files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) - -manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -files_pid_filetrans(kudzu_t, kudzu_var_run_t, file) - -kernel_change_ring_buffer_level(kudzu_t) -kernel_list_proc(kudzu_t) -kernel_read_device_sysctls(kudzu_t) -kernel_read_kernel_sysctls(kudzu_t) -kernel_read_proc_symlinks(kudzu_t) -kernel_read_network_state(kudzu_t) -kernel_read_system_state(kudzu_t) -kernel_rw_hotplug_sysctls(kudzu_t) -kernel_rw_kernel_sysctl(kudzu_t) - -files_read_kernel_modules(kudzu_t) - -dev_list_sysfs(kudzu_t) -dev_read_usbfs(kudzu_t) -dev_read_sysfs(kudzu_t) -dev_rx_raw_memory(kudzu_t) -dev_wx_raw_memory(kudzu_t) -dev_rw_mouse(kudzu_t) -dev_rwx_zero(kudzu_t) - -fs_search_auto_mountpoints(kudzu_t) -fs_search_ramfs(kudzu_t) -fs_write_ramfs_sockets(kudzu_t) - -mls_file_read_all_levels(kudzu_t) -mls_file_write_all_levels(kudzu_t) - -storage_read_scsi_generic(kudzu_t) -storage_read_tape(kudzu_t) -storage_raw_write_fixed_disk(kudzu_t) -storage_raw_write_removable_device(kudzu_t) -storage_raw_read_fixed_disk(kudzu_t) -storage_raw_read_removable_device(kudzu_t) - -term_dontaudit_use_console(kudzu_t) -# so it can write messages to the console -term_use_unallocated_ttys(kudzu_t) - -corecmd_exec_all_executables(kudzu_t) - -domain_use_interactive_fds(kudzu_t) - -files_search_var(kudzu_t) -files_search_locks(kudzu_t) -files_manage_etc_files(kudzu_t) -files_manage_etc_runtime_files(kudzu_t) -files_etc_filetrans_etc_runtime(kudzu_t, file) -files_manage_mnt_files(kudzu_t) -files_manage_mnt_symlinks(kudzu_t) -files_dontaudit_search_src(kudzu_t) -# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux -files_read_usr_files(kudzu_t) -# for /etc/sysconfig/hwconf - probably need a new type -files_rw_etc_runtime_files(kudzu_t) -# for file systems that are not yet mounted -files_dontaudit_search_isid_type_dirs(kudzu_t) - -init_use_fds(kudzu_t) -init_use_script_ptys(kudzu_t) -init_stream_connect_script(kudzu_t) -init_read_state(kudzu_t) -init_ptrace(kudzu_t) -# kudzu will telinit to make init re-read -# the inittab after configuring serial consoles -init_telinit(kudzu_t) - -# Read /usr/lib/gconv/gconv-modules.* -libs_read_lib_files(kudzu_t) - -logging_send_syslog_msg(kudzu_t) - -miscfiles_read_hwdata(kudzu_t) -miscfiles_read_localization(kudzu_t) - -modutils_read_module_config(kudzu_t) -modutils_read_module_deps(kudzu_t) -modutils_rename_module_config(kudzu_t) -modutils_delete_module_config(kudzu_t) -modutils_domtrans_insmod(kudzu_t) - -sysnet_read_config(kudzu_t) - -userdom_use_user_terminals(kudzu_t) -userdom_dontaudit_use_unpriv_user_fds(kudzu_t) -userdom_search_user_home_dirs(kudzu_t) - -optional_policy(` - gpm_getattr_gpmctl(kudzu_t) -') - -optional_policy(` - nscd_socket_use(kudzu_t) -') - -optional_policy(` - seutil_sigchld_newrole(kudzu_t) -') - -optional_policy(` - udev_read_db(kudzu_t) -') - -optional_policy(` - unconfined_domtrans(kudzu_t) - unconfined_domain(kudzu_t) -') diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc deleted file mode 100644 index 36c8de7f9..000000000 --- a/policy/modules/admin/logrotate.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) - -/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) - -ifdef(`distro_debian', ` -/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -', ` -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) -') diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if deleted file mode 100644 index 9cd6b0b8e..000000000 --- a/policy/modules/admin/logrotate.if +++ /dev/null @@ -1,120 +0,0 @@ -## Rotate and archive system logs - -######################################## -## -## Execute logrotate in the logrotate domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`logrotate_domtrans',` - gen_require(` - type logrotate_t, logrotate_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, logrotate_exec_t, logrotate_t) -') - -######################################## -## -## Execute logrotate in the logrotate domain, and -## allow the specified role the logrotate domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`logrotate_run',` - gen_require(` - type logrotate_t; - ') - - logrotate_domtrans($1) - role $2 types logrotate_t; -') - -######################################## -## -## Execute logrotate in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`logrotate_exec',` - gen_require(` - type logrotate_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, logrotate_exec_t) -') - -######################################## -## -## Inherit and use logrotate file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`logrotate_use_fds',` - gen_require(` - type logrotate_t; - ') - - allow $1 logrotate_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit logrotate file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`logrotate_dontaudit_use_fds',` - gen_require(` - type logrotate_t; - ') - - dontaudit $1 logrotate_t:fd use; -') - -######################################## -## -## Read a logrotate temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logrotate_read_tmp_files',` - gen_require(` - type logrotate_tmp_t; - ') - - files_search_tmp($1) - allow $1 logrotate_tmp_t:file read_file_perms; -') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te deleted file mode 100644 index 7090dae78..000000000 --- a/policy/modules/admin/logrotate.te +++ /dev/null @@ -1,230 +0,0 @@ -policy_module(logrotate, 1.14.0) - -######################################## -# -# Declarations -# - -type logrotate_t; -domain_type(logrotate_t) -domain_obj_id_change_exemption(logrotate_t) -domain_system_change_exemption(logrotate_t) -role system_r types logrotate_t; - -type logrotate_exec_t; -domain_entry_file(logrotate_t, logrotate_exec_t) - -type logrotate_lock_t; -files_lock_file(logrotate_lock_t) - -type logrotate_tmp_t; -files_tmp_file(logrotate_tmp_t) - -type logrotate_var_lib_t; -files_type(logrotate_var_lib_t) - -######################################## -# -# Local policy -# - -# Change ownership on log files. -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; -# for mailx -dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; - -allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - -# Set a context other than the default one for newly created files. -allow logrotate_t self:process setfscreate; - -allow logrotate_t self:fd use; -allow logrotate_t self:fifo_file rw_fifo_file_perms; -allow logrotate_t self:unix_dgram_socket create_socket_perms; -allow logrotate_t self:unix_stream_socket create_stream_socket_perms; -allow logrotate_t self:unix_dgram_socket sendto; -allow logrotate_t self:unix_stream_socket connectto; -allow logrotate_t self:shm create_shm_perms; -allow logrotate_t self:sem create_sem_perms; -allow logrotate_t self:msgq create_msgq_perms; -allow logrotate_t self:msg { send receive }; - -allow logrotate_t logrotate_lock_t:file manage_file_perms; -files_lock_filetrans(logrotate_t, logrotate_lock_t, file) - -can_exec(logrotate_t, logrotate_tmp_t) - -manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) -manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) -files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) - -# for /var/lib/logrotate.status and /var/lib/logcheck -create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) - -kernel_read_system_state(logrotate_t) -kernel_read_kernel_sysctls(logrotate_t) - -dev_read_urand(logrotate_t) - -fs_search_auto_mountpoints(logrotate_t) -fs_getattr_xattr_fs(logrotate_t) -fs_list_inotifyfs(logrotate_t) - -mls_file_read_all_levels(logrotate_t) -mls_file_write_all_levels(logrotate_t) -mls_file_upgrade(logrotate_t) - -selinux_get_fs_mount(logrotate_t) -selinux_get_enforce_mode(logrotate_t) - -auth_manage_login_records(logrotate_t) -auth_use_nsswitch(logrotate_t) - -# Run helper programs. -corecmd_exec_bin(logrotate_t) -corecmd_exec_shell(logrotate_t) - -domain_signal_all_domains(logrotate_t) -domain_use_interactive_fds(logrotate_t) -domain_getattr_all_entry_files(logrotate_t) -# Read /proc/PID directories for all domains. -domain_read_all_domains_state(logrotate_t) - -files_read_usr_files(logrotate_t) -files_read_etc_files(logrotate_t) -files_read_etc_runtime_files(logrotate_t) -files_read_all_pids(logrotate_t) -files_search_all(logrotate_t) -files_read_var_lib_files(logrotate_t) -# Write to /var/spool/slrnpull - should be moved into its own type. -files_manage_generic_spool(logrotate_t) -files_manage_generic_spool_dirs(logrotate_t) -files_getattr_generic_locks(logrotate_t) - -# cjp: why is this needed? -init_domtrans_script(logrotate_t) - -logging_manage_all_logs(logrotate_t) -logging_send_syslog_msg(logrotate_t) -logging_send_audit_msgs(logrotate_t) -# cjp: why is this needed? -logging_exec_all_logs(logrotate_t) - -miscfiles_read_localization(logrotate_t) - -seutil_dontaudit_read_config(logrotate_t) - -userdom_use_user_terminals(logrotate_t) -userdom_list_user_home_dirs(logrotate_t) -userdom_use_unpriv_users_fds(logrotate_t) - -cron_system_entry(logrotate_t, logrotate_exec_t) -cron_search_spool(logrotate_t) - -mta_send_mail(logrotate_t) - -ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; - # for savelog - can_exec(logrotate_t, logrotate_exec_t) - - # for syslogd-listfiles - logging_read_syslog_config(logrotate_t) - - # for "test -x /sbin/syslogd" - logging_check_exec_syslog(logrotate_t) -') - -optional_policy(` - abrt_cache_manage(logrotate_t) -') - -optional_policy(` - acct_domtrans(logrotate_t) - acct_manage_data(logrotate_t) - acct_exec_data(logrotate_t) -') - -optional_policy(` - apache_read_config(logrotate_t) - apache_domtrans(logrotate_t) - apache_signull(logrotate_t) -') - -optional_policy(` - asterisk_domtrans(logrotate_t) -') - -optional_policy(` - bind_manage_cache(logrotate_t) -') - -optional_policy(` - consoletype_exec(logrotate_t) -') - -optional_policy(` - cups_domtrans(logrotate_t) -') - -optional_policy(` - fail2ban_stream_connect(logrotate_t) -') - -optional_policy(` - hostname_exec(logrotate_t) -') - -optional_policy(` - icecast_signal(logrotate_t) -') - -optional_policy(` - mailman_domtrans(logrotate_t) - mailman_search_data(logrotate_t) - mailman_manage_log(logrotate_t) -') - -optional_policy(` - munin_read_config(logrotate_t) - munin_stream_connect(logrotate_t) - munin_search_lib(logrotate_t) -') - -optional_policy(` - mysql_read_config(logrotate_t) - mysql_search_db(logrotate_t) - mysql_stream_connect(logrotate_t) -') - -optional_policy(` - psad_domtrans(logrotate_t) -') - - -optional_policy(` - samba_exec_log(logrotate_t) -') - -optional_policy(` - sssd_domtrans(logrotate_t) -') - -optional_policy(` - slrnpull_manage_spool(logrotate_t) -') - -optional_policy(` - squid_domtrans(logrotate_t) -') - -optional_policy(` - #Red Hat bug 564565 - su_exec(logrotate_t) -') - -optional_policy(` - varnishd_manage_log(logrotate_t) -') diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc deleted file mode 100644 index 3c7b1e8b5..000000000 --- a/policy/modules/admin/logwatch.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) - -/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) - -/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) -/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) -/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0) diff --git a/policy/modules/admin/logwatch.if b/policy/modules/admin/logwatch.if deleted file mode 100644 index d878e7521..000000000 --- a/policy/modules/admin/logwatch.if +++ /dev/null @@ -1,38 +0,0 @@ -## System log analyzer and reporter - -######################################## -## -## Read logwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`logwatch_read_tmp_files',` - gen_require(` - type logwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 logwatch_tmp_t:file read_file_perms; -') - -######################################## -## -## Search logwatch cache directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`logwatch_search_cache_dir',` - gen_require(` - type logwatch_cache_t; - ') - - allow $1 logwatch_cache_t:dir search_dir_perms; -') diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te deleted file mode 100644 index 75ce30f3e..000000000 --- a/policy/modules/admin/logwatch.te +++ /dev/null @@ -1,147 +0,0 @@ -policy_module(logwatch, 1.11.0) - -################################# -# -# Declarations -# - -type logwatch_t; -type logwatch_exec_t; -application_domain(logwatch_t, logwatch_exec_t) -role system_r types logwatch_t; - -type logwatch_cache_t; -files_type(logwatch_cache_t) - -type logwatch_lock_t; -files_lock_file(logwatch_lock_t) - -type logwatch_tmp_t; -files_tmp_file(logwatch_tmp_t) - -######################################## -# -# Local policy -# - -allow logwatch_t self:capability { dac_override dac_read_search setgid }; -allow logwatch_t self:process signal; -allow logwatch_t self:fifo_file rw_file_perms; -allow logwatch_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) -manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) - -allow logwatch_t logwatch_lock_t:file manage_file_perms; -files_lock_filetrans(logwatch_t, logwatch_lock_t, file) - -manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) - -kernel_read_fs_sysctls(logwatch_t) -kernel_read_kernel_sysctls(logwatch_t) -kernel_read_system_state(logwatch_t) -kernel_read_net_sysctls(logwatch_t) -kernel_read_network_state(logwatch_t) - -corecmd_exec_bin(logwatch_t) -corecmd_exec_shell(logwatch_t) - -dev_read_urand(logwatch_t) -dev_read_sysfs(logwatch_t) - -# Read /proc/PID directories for all domains. -domain_read_all_domains_state(logwatch_t) - -files_list_var(logwatch_t) -files_read_var_symlinks(logwatch_t) -files_read_etc_files(logwatch_t) -files_read_etc_runtime_files(logwatch_t) -files_read_usr_files(logwatch_t) -files_search_spool(logwatch_t) -files_search_mnt(logwatch_t) -files_dontaudit_search_home(logwatch_t) -files_dontaudit_search_boot(logwatch_t) -# Execs df and if file system mounted with a context avc raised -files_dontaudit_search_all_dirs(logwatch_t) - -fs_getattr_all_fs(logwatch_t) -fs_dontaudit_list_auto_mountpoints(logwatch_t) -fs_list_inotifyfs(logwatch_t) - -term_dontaudit_getattr_pty_dirs(logwatch_t) -term_dontaudit_list_ptys(logwatch_t) - -auth_use_nsswitch(logwatch_t) -auth_dontaudit_read_shadow(logwatch_t) - -init_read_utmp(logwatch_t) -init_dontaudit_write_utmp(logwatch_t) - -libs_read_lib_files(logwatch_t) - -logging_read_all_logs(logwatch_t) -logging_send_syslog_msg(logwatch_t) - -miscfiles_read_localization(logwatch_t) - -selinux_dontaudit_getattr_dir(logwatch_t) - -sysnet_dns_name_resolve(logwatch_t) -sysnet_exec_ifconfig(logwatch_t) - -userdom_dontaudit_search_user_home_dirs(logwatch_t) - -mta_send_mail(logwatch_t) - -ifdef(`distro_redhat',` - files_search_all(logwatch_t) - files_getattr_all_file_type_fs(logwatch_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(logwatch_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(logwatch_t) -') - -optional_policy(` - apache_read_log(logwatch_t) -') - -optional_policy(` - avahi_dontaudit_search_pid(logwatch_t) -') - -optional_policy(` - bind_read_config(logwatch_t) - bind_read_zone(logwatch_t) -') - -optional_policy(` - cron_system_entry(logwatch_t, logwatch_exec_t) -') - -optional_policy(` - hostname_exec(logwatch_t) -') - -optional_policy(` - mta_getattr_spool(logwatch_t) -') - -optional_policy(` - ntp_domtrans(logwatch_t) -') - -optional_policy(` - rpc_search_nfs_state_data(logwatch_t) -') - -optional_policy(` - samba_read_log(logwatch_t) - samba_read_share_files(logwatch_t) -') diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc deleted file mode 100644 index 56c43c087..000000000 --- a/policy/modules/admin/mcelog.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) diff --git a/policy/modules/admin/mcelog.if b/policy/modules/admin/mcelog.if deleted file mode 100644 index 3d4cb1aee..000000000 --- a/policy/modules/admin/mcelog.if +++ /dev/null @@ -1,20 +0,0 @@ -## policy for mcelog - -######################################## -## -## Execute a domain transition to run mcelog. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mcelog_domtrans',` - gen_require(` - type mcelog_t, mcelog_exec_t; - ') - - domtrans_pattern($1, mcelog_exec_t, mcelog_t) -') - diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te deleted file mode 100644 index 567197794..000000000 --- a/policy/modules/admin/mcelog.te +++ /dev/null @@ -1,32 +0,0 @@ -policy_module(mcelog, 1.1.0) - -######################################## -# -# Declarations -# - -type mcelog_t; -type mcelog_exec_t; -application_domain(mcelog_t, mcelog_exec_t) -cron_system_entry(mcelog_t, mcelog_exec_t) - -######################################## -# -# mcelog local policy -# - -allow mcelog_t self:capability sys_admin; - -kernel_read_system_state(mcelog_t) - -dev_read_raw_memory(mcelog_t) -dev_read_kmsg(mcelog_t) - -files_read_etc_files(mcelog_t) - -# for /dev/mem access -mls_file_read_all_levels(mcelog_t) - -logging_send_syslog_msg(mcelog_t) - -miscfiles_read_localization(mcelog_t) diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc deleted file mode 100644 index 37fb95362..000000000 --- a/policy/modules/admin/mrtg.fc +++ /dev/null @@ -1,18 +0,0 @@ -# -# /etc -# -/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0) - -# -# /usr -# -/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0) -/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0) - -# -# /var -# -/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) -/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) -/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0) -/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0) diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if deleted file mode 100644 index 5970b9c0e..000000000 --- a/policy/modules/admin/mrtg.if +++ /dev/null @@ -1,20 +0,0 @@ -## Network traffic graphing - -######################################## -## -## Create and append mrtg logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mrtg_append_create_logs',` - gen_require(` - type mrtg_log_t; - ') - - append_files_pattern($1, mrtg_log_t, mrtg_log_t) - create_files_pattern($1, mrtg_log_t, mrtg_log_t) -') diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te deleted file mode 100644 index 0e19d8020..000000000 --- a/policy/modules/admin/mrtg.te +++ /dev/null @@ -1,160 +0,0 @@ -policy_module(mrtg, 1.8.0) - -######################################## -# -# Declarations -# - -type mrtg_t; -type mrtg_exec_t; -init_system_domain(mrtg_t, mrtg_exec_t) - -type mrtg_etc_t; -files_config_file(mrtg_etc_t) - -type mrtg_lock_t; -files_lock_file(mrtg_lock_t) - -type mrtg_log_t; -logging_log_file(mrtg_log_t) - -type mrtg_var_lib_t; -files_type(mrtg_var_lib_t) - -type mrtg_var_run_t; -files_pid_file(mrtg_var_run_t) - -######################################## -# -# Local policy -# - -allow mrtg_t self:capability { setgid setuid chown }; -dontaudit mrtg_t self:capability sys_tty_config; -allow mrtg_t self:process signal_perms; -allow mrtg_t self:fifo_file rw_fifo_file_perms; -allow mrtg_t self:unix_stream_socket create_socket_perms; -allow mrtg_t self:tcp_socket create_socket_perms; -allow mrtg_t self:udp_socket create_socket_perms; - -allow mrtg_t mrtg_etc_t:dir list_dir_perms; -read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) -read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) -dontaudit mrtg_t mrtg_etc_t:dir write; -dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; - -manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) -manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) - -manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) -logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir }) - -manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) -manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) - -allow mrtg_t mrtg_var_run_t:file manage_file_perms; -files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) - -kernel_read_system_state(mrtg_t) -kernel_read_network_state(mrtg_t) -kernel_read_kernel_sysctls(mrtg_t) - -corecmd_exec_bin(mrtg_t) -corecmd_exec_shell(mrtg_t) - -corenet_all_recvfrom_unlabeled(mrtg_t) -corenet_all_recvfrom_netlabel(mrtg_t) -corenet_tcp_sendrecv_generic_if(mrtg_t) -corenet_udp_sendrecv_generic_if(mrtg_t) -corenet_tcp_sendrecv_generic_node(mrtg_t) -corenet_udp_sendrecv_generic_node(mrtg_t) -corenet_tcp_sendrecv_all_ports(mrtg_t) -corenet_udp_sendrecv_all_ports(mrtg_t) -corenet_tcp_connect_all_ports(mrtg_t) -corenet_sendrecv_all_client_packets(mrtg_t) - -dev_read_sysfs(mrtg_t) -dev_read_urand(mrtg_t) - -domain_use_interactive_fds(mrtg_t) -domain_dontaudit_search_all_domains_state(mrtg_t) - -files_read_usr_files(mrtg_t) -files_search_var(mrtg_t) -files_search_locks(mrtg_t) -files_search_var_lib(mrtg_t) -files_search_spool(mrtg_t) -files_getattr_tmp_dirs(mrtg_t) -# for uptime -files_read_etc_runtime_files(mrtg_t) -# read config files -files_read_etc_files(mrtg_t) - -fs_search_auto_mountpoints(mrtg_t) -fs_getattr_xattr_fs(mrtg_t) -fs_list_inotifyfs(mrtg_t) - -term_dontaudit_use_console(mrtg_t) - -init_use_fds(mrtg_t) -init_use_script_ptys(mrtg_t) -# for uptime -init_read_utmp(mrtg_t) -init_dontaudit_write_utmp(mrtg_t) - -auth_use_nsswitch(mrtg_t) - -libs_read_lib_files(mrtg_t) - -logging_send_syslog_msg(mrtg_t) - -miscfiles_read_localization(mrtg_t) - -selinux_dontaudit_getattr_dir(mrtg_t) - -userdom_use_user_terminals(mrtg_t) -userdom_dontaudit_read_user_home_content_files(mrtg_t) -userdom_dontaudit_use_unpriv_user_fds(mrtg_t) - -netutils_domtrans_ping(mrtg_t) - -ifdef(`enable_mls',` - corenet_udp_sendrecv_lo_if(mrtg_t) -') - -ifdef(`distro_redhat',` - allow mrtg_t mrtg_lock_t:file manage_file_perms; - filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) -') - -optional_policy(` - apache_manage_sys_content(mrtg_t) -') - -optional_policy(` - cron_system_entry(mrtg_t, mrtg_exec_t) -') - -optional_policy(` - hostname_exec(mrtg_t) -') - -optional_policy(` - hddtemp_domtrans(mrtg_t) -') - -optional_policy(` - seutil_sigchld_newrole(mrtg_t) -') - -optional_policy(` - quota_dontaudit_getattr_db(mrtg_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(mrtg_t) -') - -optional_policy(` - udev_read_db(mrtg_t) -') diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc deleted file mode 100644 index ca1a0e289..000000000 --- a/policy/modules/admin/ncftool.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if deleted file mode 100644 index 75ee31da2..000000000 --- a/policy/modules/admin/ncftool.if +++ /dev/null @@ -1,48 +0,0 @@ -## Netcf network configuration tool (ncftool). - -######################################## -## -## Execute a domain transition to run ncftool. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ncftool_domtrans',` - gen_require(` - type ncftool_t, ncftool_exec_t; - ') - - domtrans_pattern($1, ncftool_exec_t, ncftool_t) -') - -######################################## -## -## Execute ncftool in the ncftool domain, and -## allow the specified role the ncftool domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the ncftool domain. -## -## -# -interface(`ncftool_run',` - gen_require(` - type ncftool_t; - ') - - ncftool_domtrans($1) - role $2 types ncftool_t; - - optional_policy(` - brctl_run(ncftool_t, $2) - ') -') diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te deleted file mode 100644 index ec29391fe..000000000 --- a/policy/modules/admin/ncftool.te +++ /dev/null @@ -1,78 +0,0 @@ -policy_module(ncftool, 1.0.0) - -######################################## -# -# Declarations -# - -type ncftool_t; -type ncftool_exec_t; -application_domain(ncftool_t, ncftool_exec_t) -domain_obj_id_change_exemption(ncftool_t) -domain_system_change_exemption(ncftool_t) -role system_r types ncftool_t; - -######################################## -# -# ncftool local policy -# - -allow ncftool_t self:capability { net_admin sys_ptrace }; -allow ncftool_t self:process signal; -allow ncftool_t self:fifo_file manage_fifo_file_perms; -allow ncftool_t self:unix_stream_socket create_stream_socket_perms; -allow ncftool_t self:tcp_socket create_stream_socket_perms; -allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; - -kernel_read_kernel_sysctls(ncftool_t) -kernel_read_modprobe_sysctls(ncftool_t) -kernel_read_network_state(ncftool_t) -kernel_read_system_state(ncftool_t) -kernel_request_load_module(ncftool_t) -kernel_rw_net_sysctls(ncftool_t) - -corecmd_exec_bin(ncftool_t) -corecmd_exec_shell(ncftool_t) - -domain_read_all_domains_state(ncftool_t) - -dev_read_sysfs(ncftool_t) - -files_read_etc_files(ncftool_t) -files_read_etc_runtime_files(ncftool_t) -files_read_usr_files(ncftool_t) - -miscfiles_read_localization(ncftool_t) - -sysnet_delete_dhcpc_pid(ncftool_t) -sysnet_domtrans_dhcpc(ncftool_t) -sysnet_domtrans_ifconfig(ncftool_t) -sysnet_etc_filetrans_config(ncftool_t) -sysnet_manage_config(ncftool_t) -sysnet_read_dhcpc_state(ncftool_t) -sysnet_read_dhcpc_pid(ncftool_t) -sysnet_signal_dhcpc(ncftool_t) - -userdom_use_user_terminals(ncftool_t) -userdom_read_user_tmp_files(ncftool_t) - -optional_policy(` - consoletype_exec(ncftool_t) -') - -optional_policy(` - dbus_system_bus_client(ncftool_t) -') - -optional_policy(` - iptables_initrc_domtrans(ncftool_t) -') - -optional_policy(` - modutils_read_module_config(ncftool_t) - modutils_domtrans_insmod(ncftool_t) -') - -optional_policy(` - netutils_domtrans(ncftool_t) -') diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc deleted file mode 100644 index 545518dd9..000000000 --- a/policy/modules/admin/passenger.fc +++ /dev/null @@ -1,11 +0,0 @@ -/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) - -/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) - -/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) -/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0) - -/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if deleted file mode 100644 index f68b57356..000000000 --- a/policy/modules/admin/passenger.if +++ /dev/null @@ -1,39 +0,0 @@ -## Ruby on rails deployment for Apache and Nginx servers. - -###################################### -## -## Execute passenger in the passenger domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`passenger_domtrans',` - gen_require(` - type passenger_t, passenger_exec_t; - ') - - domtrans_pattern($1, passenger_exec_t, passenger_t) -') - -######################################## -## -## Read passenger lib files -## -## -## -## Domain allowed access. -## -## -# -interface(`passenger_read_lib_files',` - gen_require(` - type passenger_var_lib_t; - ') - - read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) - read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) - files_search_var_lib($1) -') diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te deleted file mode 100644 index 3470036de..000000000 --- a/policy/modules/admin/passenger.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(passanger, 1.0.0) - -######################################## -# -# Declarations -# - -type passenger_t; -type passenger_exec_t; -domain_type(passenger_t) -domain_entry_file(passenger_t, passenger_exec_t) -role system_r types passenger_t; - -type passenger_log_t; -logging_log_file(passenger_log_t) - -type passenger_tmp_t; -files_tmp_file(passenger_tmp_t) - -type passenger_var_lib_t; -files_type(passenger_var_lib_t) - -type passenger_var_run_t; -files_pid_file(passenger_var_run_t) - -######################################## -# -# passanger local policy -# - -allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice }; -allow passenger_t self:process { setpgid setsched sigkill signal }; -allow passenger_t self:fifo_file rw_fifo_file_perms; -allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -can_exec(passenger_t, passenger_exec_t) - -manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) -manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) -logging_log_filetrans(passenger_t, passenger_log_t, file) - -manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) -manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) -files_search_var_lib(passenger_t) - -manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) - -kernel_read_system_state(passenger_t) -kernel_read_kernel_sysctls(passenger_t) - -corenet_all_recvfrom_netlabel(passenger_t) -corenet_all_recvfrom_unlabeled(passenger_t) -corenet_tcp_sendrecv_generic_if(passenger_t) -corenet_tcp_sendrecv_generic_node(passenger_t) -corenet_tcp_connect_http_port(passenger_t) - -corecmd_exec_bin(passenger_t) -corecmd_exec_shell(passenger_t) - -dev_read_urand(passenger_t) - -files_read_etc_files(passenger_t) - -auth_use_nsswitch(passenger_t) - -miscfiles_read_localization(passenger_t) - -userdom_dontaudit_use_user_terminals(passenger_t) - -optional_policy(` - apache_append_log(passenger_t) - apache_read_sys_content(passenger_t) -') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc deleted file mode 100644 index 60b9752a5..000000000 --- a/policy/modules/admin/portage.fc +++ /dev/null @@ -1,33 +0,0 @@ -/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0) -/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) -/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) -/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) - -/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0) -/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - -/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - -/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) -/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) -/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) -/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) - -/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) -/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) -/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) -/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) -/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) -/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) -/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) -/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) -/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) -/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) -/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if deleted file mode 100644 index 9f7d652e1..000000000 --- a/policy/modules/admin/portage.if +++ /dev/null @@ -1,316 +0,0 @@ -## -## Portage Package Management System. The primary package management and -## distribution system for Gentoo. -## - -######################################## -## -## Execute emerge in the portage domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portage_domtrans',` - gen_require(` - type portage_t, portage_exec_t; - type portage_fetch_t, portage_fetch_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - - # transition to portage - domtrans_pattern($1, portage_exec_t, portage_t) - domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t) -') - -######################################## -## -## Execute emerge in the portage domain, and -## allow the specified role the portage domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the portage domain. -## -## -## -# -interface(`portage_run',` - gen_require(` - type portage_t, portage_fetch_t, portage_sandbox_t; - ') - - portage_domtrans($1) - role $2 types { portage_t portage_fetch_t portage_sandbox_t }; -') - -######################################## -## -## Template for portage sandbox. -## -## -##

-## Template for portage sandbox. Portage -## does all compiling in the sandbox. -##

-## -## -## -## Domain Allowed Access -## -## -# -interface(`portage_compile_domain',` - - gen_require(` - class dbus send_msg; - type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; - type portage_tmpfs_t; - ') - - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; - dontaudit $1 self:capability sys_chroot; - allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; - allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; - allow $1 self:fd use; - allow $1 self:fifo_file rw_fifo_file_perms; - allow $1 self:shm create_shm_perms; - allow $1 self:sem create_sem_perms; - allow $1 self:msgq create_msgq_perms; - allow $1 self:msg { send receive }; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 self:unix_dgram_socket sendto; - allow $1 self:unix_stream_socket connectto; - # really shouldnt need this - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - # misc networking stuff (esp needed for compiling perl): - allow $1 self:rawip_socket { create ioctl }; - # needed for merging dbus: - allow $1 self:netlink_selinux_socket { bind create read }; - allow $1 self:dbus send_msg; - - allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty($1, portage_devpts_t) - - # write compile logs - allow $1 portage_log_t:dir setattr; - allow $1 portage_log_t:file { write_file_perms setattr }; - - # Support live ebuilds (-9999) - manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - - # run scripts out of the build directory - can_exec(portage_sandbox_t, portage_tmp_t) - - manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t) - manage_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) - files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) - # SELinux-enabled programs running in the sandbox - allow $1 portage_tmp_t:file relabel_file_perms; - - manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - kernel_read_system_state($1) - kernel_read_network_state($1) - kernel_read_software_raid_state($1) - kernel_getattr_core_if($1) - kernel_getattr_message_if($1) - kernel_read_kernel_sysctls($1) - - corecmd_exec_all_executables($1) - - # really shouldnt need this but some packages test - # network access, such as during configure - # also distcc--need to reinvestigate confining distcc client - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_raw_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_raw_sendrecv_generic_node($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_distccd_port($1) - - dev_read_sysfs($1) - dev_read_rand($1) - dev_read_urand($1) - - domain_use_interactive_fds($1) - domain_dontaudit_read_all_domains_state($1) - # SELinux-aware installs doing relabels in the sandbox - domain_obj_id_change_exemption($1) - - files_exec_etc_files($1) - files_exec_usr_src_files($1) - - fs_getattr_xattr_fs($1) - fs_list_noxattr_fs($1) - fs_read_noxattr_fs_files($1) - fs_read_noxattr_fs_symlinks($1) - fs_search_auto_mountpoints($1) - - selinux_validate_context($1) - # needed for merging dbus: - selinux_compute_access_vector($1) - - auth_read_all_dirs_except_auth_files($1) - auth_read_all_files_except_auth_files($1) - auth_read_all_symlinks_except_auth_files($1) - - libs_exec_lib_files($1) - # some config scripts use ldd - libs_exec_ld_so($1) - # this violates the idea of sandbox, but - # regular sandbox allows it - libs_domtrans_ldconfig($1) - - logging_send_syslog_msg($1) - - userdom_use_user_terminals($1) - - # SELinux-enabled programs running in the sandbox - seutil_libselinux_linked($1) - - tunable_policy(`portage_use_nfs',` - fs_getattr_nfs($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - ifdef(`TODO',` - # some gui ebuilds want to interact with X server, like xawtv - optional_policy(` - allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write }; - allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write }; - ') - ') dnl end TODO -') - -######################################## -## -## Execute gcc-config in the gcc_config domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portage_domtrans_gcc_config',` - gen_require(` - type gcc_config_t, gcc_config_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - - domtrans_pattern($1, gcc_config_exec_t, gcc_config_t) -') - -######################################## -## -## Execute gcc-config in the gcc_config domain, and -## allow the specified role the gcc_config domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the gcc_config domain. -## -## -## -# -interface(`portage_run_gcc_config',` - gen_require(` - type gcc_config_t; - ') - - portage_domtrans_gcc_config($1) - role $2 types gcc_config_t; -') - -######################################## -## -## Do not audit attempts to use -## portage file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`portage_dontaudit_use_fds',` - gen_require(` - type portage_t; - ') - - dontaudit $1 portage_t:fd use; -') - -######################################## -## -## Do not audit attempts to search the -## portage temporary directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`portage_dontaudit_search_tmp',` - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## the portage temporary files. -## -## -## -## Domain to not audit. -## -## -# -interface(`portage_dontaudit_rw_tmp_files',` - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:file rw_file_perms; -') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te deleted file mode 100644 index 276edb3ef..000000000 --- a/policy/modules/admin/portage.te +++ /dev/null @@ -1,326 +0,0 @@ -policy_module(portage, 1.11.2) - -######################################## -# -# Declarations -# - -## -##

-## Allow the portage domains to use NFS mounts (regular nfs_t) -##

-## -gen_tunable(portage_use_nfs, false) - -type gcc_config_t; -type gcc_config_exec_t; -application_domain(gcc_config_t, gcc_config_exec_t) - -# constraining type -type portage_t; -type portage_exec_t; -application_domain(portage_t, portage_exec_t) -domain_obj_id_change_exemption(portage_t) -rsync_entry_type(portage_t) -corecmd_shell_entry_type(portage_t) - -# portage compile sandbox domain -type portage_sandbox_t; -application_domain(portage_sandbox_t, portage_exec_t) -# the shell is the entrypoint if regular sandbox is disabled -# portage_exec_t is the entrypoint if regular sandbox is enabled -corecmd_shell_entry_type(portage_sandbox_t) - -# portage package fetching domain -type portage_fetch_t; -type portage_fetch_exec_t; -application_domain(portage_fetch_t, portage_fetch_exec_t) -corecmd_shell_entry_type(portage_fetch_t) -rsync_entry_type(portage_fetch_t) - -type portage_devpts_t; -term_pty(portage_devpts_t) - -type portage_ebuild_t; -files_type(portage_ebuild_t) - -type portage_fetch_tmp_t; -files_tmp_file(portage_fetch_tmp_t) - -type portage_db_t; -files_type(portage_db_t) - -type portage_conf_t; -files_type(portage_conf_t) - -type portage_cache_t; -files_type(portage_cache_t) - -type portage_gpg_t; -files_type(portage_gpg_t) - -type portage_log_t; -logging_log_file(portage_log_t) - -type portage_srcrepo_t; -files_type(portage_srcrepo_t) - -type portage_tmp_t; -files_tmp_file(portage_tmp_t) - -type portage_tmpfs_t; -files_tmpfs_file(portage_tmpfs_t) - -######################################## -# -# gcc-config policy -# - -allow gcc_config_t self:capability { chown fsetid }; -allow gcc_config_t self:fifo_file rw_file_perms; - -manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) - -read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) - -allow gcc_config_t portage_ebuild_t:dir list_dir_perms; -read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) - -allow gcc_config_t portage_exec_t:file mmap_file_perms; - -kernel_read_system_state(gcc_config_t) -kernel_read_kernel_sysctls(gcc_config_t) - -corecmd_exec_shell(gcc_config_t) -corecmd_exec_bin(gcc_config_t) -corecmd_manage_bin_files(gcc_config_t) - -domain_use_interactive_fds(gcc_config_t) - -files_manage_etc_files(gcc_config_t) -files_rw_etc_runtime_files(gcc_config_t) -files_read_usr_files(gcc_config_t) -files_search_var_lib(gcc_config_t) -files_search_pids(gcc_config_t) -# complains loudly about not being able to list -# the directory it is being run from -files_list_all(gcc_config_t) - -# seems to be ok without this -init_dontaudit_read_script_status_files(gcc_config_t) - -libs_read_lib_files(gcc_config_t) -libs_domtrans_ldconfig(gcc_config_t) -libs_manage_shared_libs(gcc_config_t) -# gcc-config creates a temp dir for the libs -libs_manage_lib_dirs(gcc_config_t) - -logging_send_syslog_msg(gcc_config_t) - -miscfiles_read_localization(gcc_config_t) - -userdom_use_user_terminals(gcc_config_t) - -consoletype_exec(gcc_config_t) - -ifdef(`distro_gentoo',` - init_exec_rc(gcc_config_t) -') - -optional_policy(` - seutil_use_newrole_fds(gcc_config_t) -') - -######################################## -# -# Portage Merging Rules -# - -# - setfscreate for merging to live fs -# - setexec to run portage fetch -allow portage_t self:process { setfscreate setexec }; -# - kill for mysql merging, at least -allow portage_t self:capability { sys_nice kill setfcap }; - -# user post-sync scripts -can_exec(portage_t, portage_conf_t) - -allow portage_t portage_log_t:file manage_file_perms; -logging_log_filetrans(portage_t, portage_log_t, file) - -allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; - -# transition for rsync and wget -corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) -rsync_entry_domtrans(portage_t, portage_fetch_t) -allow portage_fetch_t portage_t:fd use; -allow portage_fetch_t portage_t:fifo_file rw_file_perms; -allow portage_fetch_t portage_t:process sigchld; - -# transition to sandbox for compiling -domain_trans(portage_t, portage_exec_t, portage_sandbox_t) -corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) -allow portage_sandbox_t portage_t:fd use; -allow portage_sandbox_t portage_t:fifo_file rw_file_perms; -allow portage_sandbox_t portage_t:process sigchld; -allow portage_sandbox_t self:process ptrace; - -# run scripts out of the build directory -can_exec(portage_t, portage_tmp_t) - -# merging baselayout will need this: -kernel_write_proc_files(portage_t) - -domain_dontaudit_read_all_domains_state(portage_t) - -# modify any files in the system -files_manage_all_files(portage_t) - -selinux_get_fs_mount(portage_t) - -auth_manage_shadow(portage_t) - -# merging baselayout will need this: -init_exec(portage_t) - -# run setfiles -r -seutil_domtrans_setfiles(portage_t) -# run semodule -seutil_domtrans_semanage(portage_t) - -portage_domtrans_gcc_config(portage_t) -# if sesandbox is disabled, compiling is performed in this domain -portage_compile_domain(portage_t) - -optional_policy(` - bootloader_domtrans(portage_t) -') - -optional_policy(` - cron_system_entry(portage_t, portage_exec_t) - cron_system_entry(portage_fetch_t, portage_fetch_exec_t) -') - -optional_policy(` - modutils_domtrans_depmod(portage_t) - modutils_domtrans_update_mods(portage_t) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -') - -optional_policy(` - usermanage_domtrans_groupadd(portage_t) - usermanage_domtrans_useradd(portage_t) -') - -ifdef(`TODO',` -# seems to work ok without these -dontaudit portage_t device_t:{ blk_file chr_file } getattr; -dontaudit portage_t proc_t:dir setattr; -dontaudit portage_t device_type:chr_file read_chr_file_perms; -dontaudit portage_t device_type:blk_file read_blk_file_perms; -') - -########################################## -# -# Portage fetch domain -# - for rsync and distfile fetching -# - -allow portage_fetch_t self:process signal; -allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; -allow portage_fetch_t self:fifo_file rw_fifo_file_perms; -allow portage_fetch_t self:tcp_socket create_stream_socket_perms; -allow portage_fetch_t self:unix_stream_socket create_socket_perms; - -allow portage_fetch_t portage_conf_t:dir list_dir_perms; - -allow portage_fetch_t portage_gpg_t:dir rw_dir_perms; -allow portage_fetch_t portage_gpg_t:file manage_file_perms; - -allow portage_fetch_t portage_tmp_t:dir manage_dir_perms; -allow portage_fetch_t portage_tmp_t:file manage_file_perms; - -read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) - -manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) -manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) - -manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) - -kernel_read_system_state(portage_fetch_t) -kernel_read_kernel_sysctls(portage_fetch_t) - -corecmd_exec_bin(portage_fetch_t) -corecmd_exec_shell(portage_fetch_t) - -corenet_all_recvfrom_unlabeled(portage_fetch_t) -corenet_all_recvfrom_netlabel(portage_fetch_t) -corenet_tcp_sendrecv_generic_if(portage_fetch_t) -corenet_tcp_sendrecv_generic_node(portage_fetch_t) -corenet_tcp_sendrecv_all_ports(portage_fetch_t) -corenet_tcp_connect_http_cache_port(portage_fetch_t) -corenet_tcp_connect_git_port(portage_fetch_t) -corenet_tcp_connect_rsync_port(portage_fetch_t) -corenet_sendrecv_http_client_packets(portage_fetch_t) -corenet_sendrecv_http_cache_client_packets(portage_fetch_t) -corenet_sendrecv_git_client_packets(portage_fetch_t) -corenet_sendrecv_rsync_client_packets(portage_fetch_t) -# would rather not connect to unspecified ports, but -# it occasionally comes up -corenet_tcp_connect_all_reserved_ports(portage_fetch_t) -corenet_tcp_connect_generic_port(portage_fetch_t) - -dev_dontaudit_read_rand(portage_fetch_t) - -domain_use_interactive_fds(portage_fetch_t) - -files_read_etc_files(portage_fetch_t) -files_read_etc_runtime_files(portage_fetch_t) -files_read_usr_files(portage_fetch_t) -files_search_var_lib(portage_fetch_t) -files_dontaudit_search_pids(portage_fetch_t) - -logging_list_logs(portage_fetch_t) - -term_search_ptys(portage_fetch_t) - -miscfiles_read_localization(portage_fetch_t) - -sysnet_read_config(portage_fetch_t) -sysnet_dns_name_resolve(portage_fetch_t) - -userdom_use_user_terminals(portage_fetch_t) -userdom_dontaudit_read_user_home_content_files(portage_fetch_t) - -rsync_exec(portage_fetch_t) - -ifdef(`hide_broken_symptoms',` - dontaudit portage_fetch_t portage_cache_t:file read; -') - -tunable_policy(`portage_use_nfs',` - fs_getattr_nfs(portage_fetch_t) - fs_manage_nfs_dirs(portage_fetch_t) - fs_manage_nfs_files(portage_fetch_t) - fs_manage_nfs_symlinks(portage_fetch_t) -') - -optional_policy(` - gpg_exec(portage_fetch_t) -') - -########################################## -# -# Portage sandbox domain -# - SELinux-enforced sandbox -# - -portage_compile_domain(portage_sandbox_t) - -ifdef(`hide_broken_symptoms',` - # leaked descriptors - dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; - dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; -') diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc deleted file mode 100644 index ec0e76a4e..000000000 --- a/policy/modules/admin/prelink.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) - -/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) - -/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) - -/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) -/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) - -/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if deleted file mode 100644 index 93ec17558..000000000 --- a/policy/modules/admin/prelink.if +++ /dev/null @@ -1,204 +0,0 @@ -## Prelink ELF shared library mappings. - -######################################## -## -## Execute the prelink program in the prelink domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`prelink_domtrans',` - gen_require(` - type prelink_t, prelink_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelink_exec_t, prelink_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit prelink_t $1:socket_class_set { read write }; - dontaudit prelink_t $1:fifo_file setattr; - ') -') - -######################################## -## -## Execute the prelink program in the current domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_exec',` - gen_require(` - type prelink_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, prelink_exec_t) -') - -######################################## -## -## Execute the prelink program in the prelink domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the prelink domain. -## -## -## -# -interface(`prelink_run',` - gen_require(` - type prelink_t; - ') - - prelink_domtrans($1) - role $2 types prelink_t; -') - -######################################## -## -## Make the specified file type prelinkable. -## -## -## -## File type to be prelinked. -## -## -# -# cjp: added for misc non-entrypoint objects -interface(`prelink_object_file',` - gen_require(` - attribute prelink_object; - ') - - typeattribute $1 prelink_object; -') - -######################################## -## -## Read the prelink cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_read_cache',` - gen_require(` - type prelink_cache_t; - ') - - files_search_etc($1) - allow $1 prelink_cache_t:file read_file_perms; -') - -######################################## -## -## Delete the prelink cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_delete_cache',` - gen_require(` - type prelink_cache_t; - ') - - allow $1 prelink_cache_t:file unlink; - files_rw_etc_dirs($1) -') - -######################################## -## -## Create, read, write, and delete -## prelink log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_manage_log',` - gen_require(` - type prelink_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, prelink_log_t, prelink_log_t) -') - -######################################## -## -## Create, read, write, and delete -## prelink var_lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_manage_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') - -######################################## -## -## Relabel from files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_relabelfrom_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') - -######################################## -## -## Relabel from files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelink_relabel_lib',` - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) -') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te deleted file mode 100644 index af5536998..000000000 --- a/policy/modules/admin/prelink.te +++ /dev/null @@ -1,164 +0,0 @@ -policy_module(prelink, 1.10.0) - -######################################## -# -# Declarations - -attribute prelink_object; - -type prelink_t; -type prelink_exec_t; -init_system_domain(prelink_t, prelink_exec_t) -domain_obj_id_change_exemption(prelink_t) - -type prelink_cache_t; -files_type(prelink_cache_t) - -type prelink_cron_system_t; -type prelink_cron_system_exec_t; -domain_type(prelink_cron_system_t) -domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) - -type prelink_log_t; -logging_log_file(prelink_log_t) - -type prelink_tmp_t; -files_tmp_file(prelink_tmp_t) - -type prelink_tmpfs_t; -files_tmpfs_file(prelink_tmpfs_t) - -type prelink_var_lib_t; -files_type(prelink_var_lib_t) - -######################################## -# -# Local policy -# - -allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; -allow prelink_t self:process { execheap execmem execstack signal }; -allow prelink_t self:fifo_file rw_fifo_file_perms; - -allow prelink_t prelink_cache_t:file manage_file_perms; -files_etc_filetrans(prelink_t, prelink_cache_t, file) - -allow prelink_t prelink_log_t:dir setattr; -create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -logging_log_filetrans(prelink_t, prelink_log_t, file) - -allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; -files_tmp_filetrans(prelink_t, prelink_tmp_t, file) - -allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; -fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) - -manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) -files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) - -# prelink misc objects that are not system -# libraries or entrypoints -allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; - -kernel_read_system_state(prelink_t) -kernel_read_kernel_sysctls(prelink_t) - -corecmd_manage_all_executables(prelink_t) -corecmd_relabel_all_executables(prelink_t) -corecmd_mmap_all_executables(prelink_t) -corecmd_read_bin_symlinks(prelink_t) - -dev_read_urand(prelink_t) - -files_list_all(prelink_t) -files_getattr_all_files(prelink_t) -files_write_non_security_dirs(prelink_t) -files_read_etc_files(prelink_t) -files_read_etc_runtime_files(prelink_t) -files_dontaudit_read_all_symlinks(prelink_t) -files_manage_usr_files(prelink_t) -files_manage_var_files(prelink_t) -files_relabelfrom_usr_files(prelink_t) - -fs_getattr_xattr_fs(prelink_t) - -selinux_get_enforce_mode(prelink_t) - -libs_exec_ld_so(prelink_t) -libs_legacy_use_shared_libs(prelink_t) -libs_manage_ld_so(prelink_t) -libs_relabel_ld_so(prelink_t) -libs_manage_shared_libs(prelink_t) -libs_relabel_shared_libs(prelink_t) -libs_delete_lib_symlinks(prelink_t) - -miscfiles_read_localization(prelink_t) - -userdom_use_user_terminals(prelink_t) - -optional_policy(` - amanda_manage_lib(prelink_t) -') - -optional_policy(` - cron_system_entry(prelink_t, prelink_exec_t) -') - -optional_policy(` - rpm_manage_tmp_files(prelink_t) -') - -optional_policy(` - unconfined_domain(prelink_t) -') - -######################################## -# -# Prelink Cron system Policy -# - -optional_policy(` - allow prelink_cron_system_t self:capability setuid; - allow prelink_cron_system_t self:process { setsched setfscreate signal }; - allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; - allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; - - read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) - allow prelink_cron_system_t prelink_cache_t:file unlink; - - domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) - allow prelink_cron_system_t prelink_t:process noatsecure; - - manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) - - manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) - files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) - allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; - - kernel_read_system_state(prelink_cron_system_t) - - corecmd_exec_bin(prelink_cron_system_t) - corecmd_exec_shell(prelink_cron_system_t) - - files_dontaudit_search_all_mountpoints(prelink_cron_system_t) - files_read_etc_files(prelink_cron_system_t) - files_search_var_lib(prelink_cron_system_t) - - init_exec(prelink_cron_system_t) - - libs_exec_ld_so(prelink_cron_system_t) - - logging_search_logs(prelink_cron_system_t) - - miscfiles_read_localization(prelink_cron_system_t) - - cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) - - optional_policy(` - rpm_read_db(prelink_cron_system_t) - ') -') diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc deleted file mode 100644 index f38723074..000000000 --- a/policy/modules/admin/quota.fc +++ /dev/null @@ -1,19 +0,0 @@ -HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) - -/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) -/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -ifdef(`distro_redhat',` -/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -',` -/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -') diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if deleted file mode 100644 index bf75d999c..000000000 --- a/policy/modules/admin/quota.if +++ /dev/null @@ -1,85 +0,0 @@ -## File system quota management - -######################################## -## -## Execute quota management tools in the quota domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`quota_domtrans',` - gen_require(` - type quota_t, quota_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, quota_exec_t, quota_t) -') - -######################################## -## -## Execute quota management tools in the quota domain, and -## allow the specified role the quota domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`quota_run',` - gen_require(` - type quota_t; - ') - - quota_domtrans($1) - role $2 types quota_t; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of filesystem quota data files. -## -## -## -## Domain to not audit. -## -## -# -interface(`quota_dontaudit_getattr_db',` - gen_require(` - type quota_db_t; - ') - - dontaudit $1 quota_db_t:file getattr_file_perms; -') - -######################################## -## -## Create, read, write, and delete quota -## flag files. -## -## -## -## Domain allowed access. -## -## -# -interface(`quota_manage_flags',` - gen_require(` - type quota_flag_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, quota_flag_t, quota_flag_t) -') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te deleted file mode 100644 index 5dd42f5f1..000000000 --- a/policy/modules/admin/quota.te +++ /dev/null @@ -1,84 +0,0 @@ -policy_module(quota, 1.5.0) - -######################################## -# -# Declarations -# - -type quota_t; -type quota_exec_t; -init_system_domain(quota_t, quota_exec_t) - -type quota_db_t; -files_type(quota_db_t) - -type quota_flag_t; -files_type(quota_flag_t) - -######################################## -# -# Local policy -# - -allow quota_t self:capability { sys_admin dac_override }; -dontaudit quota_t self:capability sys_tty_config; -allow quota_t self:process signal_perms; - -# for /quota.* -allow quota_t quota_db_t:file { manage_file_perms quotaon }; -files_root_filetrans(quota_t, quota_db_t, file) -files_boot_filetrans(quota_t, quota_db_t, file) -files_etc_filetrans(quota_t, quota_db_t, file) -files_tmp_filetrans(quota_t, quota_db_t, file) -files_home_filetrans(quota_t, quota_db_t, file) -files_usr_filetrans(quota_t, quota_db_t, file) -files_var_filetrans(quota_t, quota_db_t, file) -files_spool_filetrans(quota_t, quota_db_t, file) - -kernel_list_proc(quota_t) -kernel_read_proc_symlinks(quota_t) -kernel_read_kernel_sysctls(quota_t) -kernel_setsched(quota_t) - -dev_read_sysfs(quota_t) -dev_getattr_all_blk_files(quota_t) -dev_getattr_all_chr_files(quota_t) - -fs_get_xattr_fs_quotas(quota_t) -fs_set_xattr_fs_quotas(quota_t) -fs_getattr_xattr_fs(quota_t) -fs_remount_xattr_fs(quota_t) -fs_search_auto_mountpoints(quota_t) - -mls_file_read_all_levels(quota_t) - -storage_raw_read_fixed_disk(quota_t) - -term_dontaudit_use_console(quota_t) - -domain_use_interactive_fds(quota_t) - -files_list_all(quota_t) -files_read_all_files(quota_t) -files_read_all_symlinks(quota_t) -files_getattr_all_pipes(quota_t) -files_getattr_all_sockets(quota_t) -files_getattr_all_file_type_fs(quota_t) -# Read /etc/mtab. -files_read_etc_runtime_files(quota_t) - -init_use_fds(quota_t) -init_use_script_ptys(quota_t) - -logging_send_syslog_msg(quota_t) - -userdom_use_user_terminals(quota_t) -userdom_dontaudit_use_unpriv_user_fds(quota_t) - -optional_policy(` - seutil_sigchld_newrole(quota_t) -') - -optional_policy(` - udev_read_db(quota_t) -') diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc deleted file mode 100644 index 70774134c..000000000 --- a/policy/modules/admin/readahead.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if deleted file mode 100644 index 47c4723c0..000000000 --- a/policy/modules/admin/readahead.if +++ /dev/null @@ -1 +0,0 @@ -## Readahead, read files into page cache for improved performance diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te deleted file mode 100644 index b4ac57e2c..000000000 --- a/policy/modules/admin/readahead.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(readahead, 1.12.0) - -######################################## -# -# Declarations -# - -type readahead_t; -type readahead_exec_t; -init_daemon_domain(readahead_t, readahead_exec_t) -application_domain(readahead_t, readahead_exec_t) - -type readahead_var_lib_t; -files_type(readahead_var_lib_t) -typealias readahead_var_lib_t alias readahead_etc_rw_t; - -type readahead_var_run_t; -files_pid_file(readahead_var_run_t) - -######################################## -# -# Local policy -# - -allow readahead_t self:capability { fowner dac_override dac_read_search }; -dontaudit readahead_t self:capability { net_admin sys_tty_config }; -allow readahead_t self:process { setsched signal_perms }; - -manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -files_search_var_lib(readahead_t) - -manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -files_pid_filetrans(readahead_t, readahead_var_run_t, file) - -kernel_read_all_sysctls(readahead_t) -kernel_read_system_state(readahead_t) -kernel_dontaudit_getattr_core_if(readahead_t) - -dev_read_sysfs(readahead_t) -dev_getattr_generic_chr_files(readahead_t) -dev_getattr_generic_blk_files(readahead_t) -dev_getattr_all_chr_files(readahead_t) -dev_getattr_all_blk_files(readahead_t) -dev_dontaudit_read_all_blk_files(readahead_t) -dev_dontaudit_getattr_memory_dev(readahead_t) -dev_dontaudit_getattr_nvram_dev(readahead_t) -# Early devtmpfs, before udev relabel -dev_dontaudit_rw_generic_chr_files(readahead_t) - -domain_use_interactive_fds(readahead_t) -domain_read_all_domains_state(readahead_t) - -files_list_non_security(readahead_t) -files_read_non_security_files(readahead_t) -files_create_boot_flag(readahead_t) -files_getattr_all_pipes(readahead_t) -files_dontaudit_getattr_all_sockets(readahead_t) -files_dontaudit_getattr_non_security_blk_files(readahead_t) - -fs_getattr_all_fs(readahead_t) -fs_search_auto_mountpoints(readahead_t) -fs_getattr_all_pipes(readahead_t) -fs_getattr_all_files(readahead_t) -fs_read_cgroup_files(readahead_t) -fs_read_tmpfs_files(readahead_t) -fs_read_tmpfs_symlinks(readahead_t) -fs_list_inotifyfs(readahead_t) -fs_dontaudit_search_ramfs(readahead_t) -fs_dontaudit_read_ramfs_pipes(readahead_t) -fs_dontaudit_read_ramfs_files(readahead_t) -fs_dontaudit_use_tmpfs_chr_dev(readahead_t) - -mls_file_read_all_levels(readahead_t) - -storage_raw_read_fixed_disk(readahead_t) - -term_dontaudit_use_console(readahead_t) - -auth_dontaudit_read_shadow(readahead_t) - -init_use_fds(readahead_t) -init_use_script_ptys(readahead_t) -init_getattr_initctl(readahead_t) - -logging_send_syslog_msg(readahead_t) -logging_set_audit_parameters(readahead_t) -logging_dontaudit_search_audit_config(readahead_t) - -miscfiles_read_localization(readahead_t) - -userdom_dontaudit_use_unpriv_user_fds(readahead_t) -userdom_dontaudit_search_user_home_dirs(readahead_t) - -optional_policy(` - cron_system_entry(readahead_t, readahead_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(readahead_t) -') diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc deleted file mode 100644 index b206bf686..000000000 --- a/policy/modules/admin/rpm.fc +++ /dev/null @@ -1,52 +0,0 @@ - -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) -/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - -ifdef(`distro_redhat', ` -/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) -') - -/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - -/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - -/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) -/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) - -/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - -# SuSE -ifdef(`distro_suse', ` -/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) -') - -ifdef(`enable_mls',` -/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -') diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if deleted file mode 100644 index d33daa83f..000000000 --- a/policy/modules/admin/rpm.if +++ /dev/null @@ -1,578 +0,0 @@ -## Policy for the RPM package manager. - -######################################## -## -## Execute rpm programs in the rpm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpm_domtrans',` - gen_require(` - type rpm_t, rpm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpm_exec_t, rpm_t) -') - -######################################## -## -## Execute debuginfo_install programs in the rpm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpm_debuginfo_domtrans',` - gen_require(` - type rpm_t, debuginfo_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, debuginfo_exec_t, rpm_t) -') - -######################################## -## -## Execute rpm_script programs in the rpm_script domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpm_domtrans_script',` - gen_require(` - type rpm_script_t; - ') - - # transition to rpm script: - corecmd_shell_domtrans($1, rpm_script_t) - allow rpm_script_t $1:fd use; - allow rpm_script_t $1:fifo_file rw_file_perms; - allow rpm_script_t $1:process sigchld; -') - -######################################## -## -## Execute RPM programs in the RPM domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the RPM domain. -## -## -## -# -interface(`rpm_run',` - gen_require(` - type rpm_t, rpm_script_t; - ') - - rpm_domtrans($1) - role $2 types { rpm_t rpm_script_t }; - seutil_run_loadpolicy(rpm_script_t, $2) - seutil_run_semanage(rpm_script_t, $2) - seutil_run_setfiles(rpm_script_t, $2) -') - -######################################## -## -## Execute the rpm client in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_exec',` - gen_require(` - type rpm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rpm_exec_t) -') - -######################################## -## -## Send a null signal to rpm. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_signull',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:process signull; -') - -######################################## -## -## Inherit and use file descriptors from RPM. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_use_fds',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fd use; -') - -######################################## -## -## Read from an unnamed RPM pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Read and write an unnamed RPM pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_rw_pipes',` - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Send and receive messages from -## rpm over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - allow $1 rpm_t:dbus send_msg; - allow rpm_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit attempts to send and -## receive messages from rpm over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`rpm_dontaudit_dbus_chat',` - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - dontaudit $1 rpm_t:dbus send_msg; - dontaudit rpm_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## rpm_script over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_script_dbus_chat',` - gen_require(` - type rpm_script_t; - class dbus send_msg; - ') - - allow $1 rpm_script_t:dbus send_msg; - allow rpm_script_t $1:dbus send_msg; -') - -######################################## -## -## Search RPM log directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_search_log',` - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - allow $1 rpm_log_t:dir search_dir_perms; -') - -##################################### -## -## Allow the specified domain to append -## to rpm log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_append_log',` - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) -') - -######################################## -## -## Create, read, write, and delete the RPM log. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_log',` - gen_require(` - type rpm_log_t; - ') - - logging_rw_generic_log_dirs($1) - allow $1 rpm_log_t:file manage_file_perms; -') - -######################################## -## -## Inherit and use file descriptors from RPM scripts. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_use_script_fds',` - gen_require(` - type rpm_script_t; - ') - - allow $1 rpm_script_t:fd use; -') - -######################################## -## -## Create, read, write, and delete RPM -## script temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -##################################### -## -## Allow the specified domain to append -## to rpm tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_append_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## -## Create, read, write, and delete RPM -## temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_tmp_files',` - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -') - -######################################## -## -## Read RPM script temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_script_tmp_files',` - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -') - -######################################## -## -## Read the RPM cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var($1) - allow $1 rpm_var_cache_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## -## Create, read, write, and delete the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_cache',` - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -') - -######################################## -## -## Read the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rpm_var_lib_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## -## Delete the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_delete_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete the RPM package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete the RPM package database. -## -## -## -## Domain to not audit. -## -## -# -interface(`rpm_dontaudit_manage_db',` - gen_require(` - type rpm_var_lib_t; - ') - - dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; -') - -##################################### -## -## Read rpm pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_read_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -##################################### -## -## Create, read, write, and delete rpm pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_manage_pid_files',` - gen_require(` - type rpm_var_run_t; - ') - - manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) - files_search_pids($1) -') - -###################################### -## -## Create files in /var/run with the rpm pid file type. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpm_pid_filetrans',` - gen_require(` - type rpm_var_run_t; - ') - - files_pid_filetrans($1, rpm_var_run_t, file) -') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te deleted file mode 100644 index 7d964bf07..000000000 --- a/policy/modules/admin/rpm.te +++ /dev/null @@ -1,395 +0,0 @@ -policy_module(rpm, 1.13.0) - -######################################## -# -# Declarations -# - -type debuginfo_exec_t; -domain_entry_file(rpm_t, debuginfo_exec_t) - -type rpm_t; -type rpm_exec_t; -init_system_domain(rpm_t, rpm_exec_t) -domain_obj_id_change_exemption(rpm_t) -domain_role_change_exemption(rpm_t) -domain_system_change_exemption(rpm_t) -domain_interactive_fd(rpm_t) - -type rpm_file_t; -files_type(rpm_file_t) - -type rpm_tmp_t; -files_tmp_file(rpm_tmp_t) - -type rpm_tmpfs_t; -files_tmpfs_file(rpm_tmpfs_t) - -type rpm_log_t; -logging_log_file(rpm_log_t) - -type rpm_var_lib_t; -files_type(rpm_var_lib_t) -typealias rpm_var_lib_t alias var_lib_rpm_t; - -type rpm_var_cache_t; -files_type(rpm_var_cache_t) - -type rpm_var_run_t; -files_pid_file(rpm_var_run_t) - -type rpm_script_t; -type rpm_script_exec_t; -domain_obj_id_change_exemption(rpm_script_t) -domain_system_change_exemption(rpm_script_t) -corecmd_shell_entry_type(rpm_script_t) -corecmd_bin_entry_type(rpm_script_t) -domain_type(rpm_script_t) -domain_entry_file(rpm_t, rpm_script_exec_t) -domain_interactive_fd(rpm_script_t) -role system_r types rpm_script_t; - -type rpm_script_tmp_t; -files_tmp_file(rpm_script_tmp_t) - -type rpm_script_tmpfs_t; -files_tmpfs_file(rpm_script_tmpfs_t) - -######################################## -# -# rpm Local policy -# - -allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; -allow rpm_t self:process { getattr setexec setfscreate setrlimit }; -allow rpm_t self:fd use; -allow rpm_t self:fifo_file rw_fifo_file_perms; -allow rpm_t self:unix_dgram_socket create_socket_perms; -allow rpm_t self:unix_stream_socket rw_stream_socket_perms; -allow rpm_t self:unix_dgram_socket sendto; -allow rpm_t self:unix_stream_socket connectto; -allow rpm_t self:udp_socket { connect }; -allow rpm_t self:udp_socket create_socket_perms; -allow rpm_t self:tcp_socket create_stream_socket_perms; -allow rpm_t self:shm create_shm_perms; -allow rpm_t self:sem create_sem_perms; -allow rpm_t self:msgq create_msgq_perms; -allow rpm_t self:msg { send receive }; - -allow rpm_t rpm_log_t:file manage_file_perms; -logging_log_filetrans(rpm_t, rpm_log_t, file) - -manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) -manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) -files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) -can_exec(rpm_t, rpm_tmp_t) - -manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -can_exec(rpm_t, rpm_tmpfs_t) - -manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -files_var_filetrans(rpm_t, rpm_var_cache_t, dir) - -# Access /var/lib/rpm files -manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) -files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) - -manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -files_pid_filetrans(rpm_t, rpm_var_run_t, file) - -kernel_read_crypto_sysctls(rpm_t) -kernel_read_network_state(rpm_t) -kernel_read_system_state(rpm_t) -kernel_read_kernel_sysctls(rpm_t) - -corecmd_exec_all_executables(rpm_t) - -corenet_all_recvfrom_unlabeled(rpm_t) -corenet_all_recvfrom_netlabel(rpm_t) -corenet_tcp_sendrecv_generic_if(rpm_t) -corenet_raw_sendrecv_generic_if(rpm_t) -corenet_udp_sendrecv_generic_if(rpm_t) -corenet_tcp_sendrecv_generic_node(rpm_t) -corenet_raw_sendrecv_generic_node(rpm_t) -corenet_udp_sendrecv_generic_node(rpm_t) -corenet_tcp_sendrecv_all_ports(rpm_t) -corenet_udp_sendrecv_all_ports(rpm_t) -corenet_tcp_connect_all_ports(rpm_t) -corenet_sendrecv_all_client_packets(rpm_t) - -dev_list_sysfs(rpm_t) -dev_list_usbfs(rpm_t) -dev_read_urand(rpm_t) - -fs_getattr_all_dirs(rpm_t) -fs_list_inotifyfs(rpm_t) -fs_manage_nfs_dirs(rpm_t) -fs_manage_nfs_files(rpm_t) -fs_manage_nfs_symlinks(rpm_t) -fs_getattr_all_fs(rpm_t) -fs_search_auto_mountpoints(rpm_t) - -mls_file_read_all_levels(rpm_t) -mls_file_write_all_levels(rpm_t) -mls_file_upgrade(rpm_t) -mls_file_downgrade(rpm_t) - -selinux_get_fs_mount(rpm_t) -selinux_validate_context(rpm_t) -selinux_compute_access_vector(rpm_t) -selinux_compute_create_context(rpm_t) -selinux_compute_relabel_context(rpm_t) -selinux_compute_user_contexts(rpm_t) - -storage_raw_write_fixed_disk(rpm_t) -# for installing kernel packages -storage_raw_read_fixed_disk(rpm_t) - -term_list_ptys(rpm_t) - -auth_relabel_all_files_except_auth_files(rpm_t) -auth_manage_all_files_except_auth_files(rpm_t) -auth_dontaudit_read_shadow(rpm_t) -auth_use_nsswitch(rpm_t) - -# transition to rpm script: -rpm_domtrans_script(rpm_t) - -domain_read_all_domains_state(rpm_t) -domain_getattr_all_domains(rpm_t) -domain_dontaudit_ptrace_all_domains(rpm_t) -domain_use_interactive_fds(rpm_t) -domain_dontaudit_getattr_all_pipes(rpm_t) -domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -domain_dontaudit_getattr_all_udp_sockets(rpm_t) -domain_dontaudit_getattr_all_packet_sockets(rpm_t) -domain_dontaudit_getattr_all_raw_sockets(rpm_t) -domain_dontaudit_getattr_all_stream_sockets(rpm_t) -domain_dontaudit_getattr_all_dgram_sockets(rpm_t) - -files_exec_etc_files(rpm_t) - -init_domtrans_script(rpm_t) -init_use_script_ptys(rpm_t) - -libs_exec_ld_so(rpm_t) -libs_exec_lib_files(rpm_t) -libs_domtrans_ldconfig(rpm_t) - -logging_send_syslog_msg(rpm_t) - -# allow compiling and loading new policy -seutil_manage_src_policy(rpm_t) -seutil_manage_bin_policy(rpm_t) - -userdom_use_user_terminals(rpm_t) -userdom_use_unpriv_users_fds(rpm_t) - -optional_policy(` - cron_system_entry(rpm_t, rpm_exec_t) -') - -optional_policy(` - dbus_system_domain(rpm_t, rpm_exec_t) - dbus_system_domain(rpm_t, debuginfo_exec_t) - - optional_policy(` - hal_dbus_chat(rpm_t) - ') - - optional_policy(` - networkmanager_dbus_chat(rpm_t) - ') -') - -optional_policy(` - prelink_domtrans(rpm_t) -') - -optional_policy(` - unconfined_domain(rpm_t) - # yum-updatesd requires this - unconfined_dbus_chat(rpm_t) - unconfined_dbus_chat(rpm_script_t) -') - -######################################## -# -# rpm-script Local policy -# - -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; -allow rpm_script_t self:fd use; -allow rpm_script_t self:fifo_file rw_fifo_file_perms; -allow rpm_script_t self:unix_dgram_socket create_socket_perms; -allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; -allow rpm_script_t self:unix_dgram_socket sendto; -allow rpm_script_t self:unix_stream_socket connectto; -allow rpm_script_t self:shm create_shm_perms; -allow rpm_script_t self:sem create_sem_perms; -allow rpm_script_t self:msgq create_msgq_perms; -allow rpm_script_t self:msg { send receive }; -allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; - -allow rpm_script_t rpm_tmp_t:file read_file_perms; - -allow rpm_script_t rpm_script_tmp_t:dir mounton; -manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) -can_exec(rpm_script_t, rpm_script_tmp_t) - -manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -can_exec(rpm_script_t, rpm_script_tmpfs_t) - -kernel_read_crypto_sysctls(rpm_script_t) -kernel_read_kernel_sysctls(rpm_script_t) -kernel_read_system_state(rpm_script_t) -kernel_read_network_state(rpm_script_t) -kernel_read_software_raid_state(rpm_script_t) - -dev_list_sysfs(rpm_script_t) - -# ideally we would not need this -dev_manage_generic_blk_files(rpm_script_t) -dev_manage_generic_chr_files(rpm_script_t) -dev_manage_all_blk_files(rpm_script_t) -dev_manage_all_chr_files(rpm_script_t) - -fs_manage_nfs_files(rpm_script_t) -fs_getattr_nfs(rpm_script_t) -fs_search_all(rpm_script_t) -fs_getattr_all_fs(rpm_script_t) -# why is this not using mount? -fs_getattr_xattr_fs(rpm_script_t) -fs_mount_xattr_fs(rpm_script_t) -fs_unmount_xattr_fs(rpm_script_t) -fs_search_auto_mountpoints(rpm_script_t) - -mcs_killall(rpm_script_t) -mcs_ptrace_all(rpm_script_t) - -mls_file_read_all_levels(rpm_script_t) -mls_file_write_all_levels(rpm_script_t) - -selinux_get_fs_mount(rpm_script_t) -selinux_validate_context(rpm_script_t) -selinux_compute_access_vector(rpm_script_t) -selinux_compute_create_context(rpm_script_t) -selinux_compute_relabel_context(rpm_script_t) -selinux_compute_user_contexts(rpm_script_t) - -storage_raw_read_fixed_disk(rpm_script_t) -storage_raw_write_fixed_disk(rpm_script_t) - -term_getattr_unallocated_ttys(rpm_script_t) -term_list_ptys(rpm_script_t) -term_use_all_terms(rpm_script_t) - -auth_dontaudit_getattr_shadow(rpm_script_t) -auth_use_nsswitch(rpm_script_t) -# ideally we would not need this -auth_manage_all_files_except_auth_files(rpm_script_t) -auth_relabel_shadow(rpm_script_t) - -corecmd_exec_all_executables(rpm_script_t) - -domain_read_all_domains_state(rpm_script_t) -domain_getattr_all_domains(rpm_script_t) -domain_dontaudit_ptrace_all_domains(rpm_script_t) -domain_use_interactive_fds(rpm_script_t) -domain_signal_all_domains(rpm_script_t) -domain_signull_all_domains(rpm_script_t) - -files_exec_etc_files(rpm_script_t) -files_read_etc_runtime_files(rpm_script_t) -files_exec_usr_files(rpm_script_t) -files_relabel_all_files(rpm_script_t) - -init_domtrans_script(rpm_script_t) -init_telinit(rpm_script_t) - -libs_exec_ld_so(rpm_script_t) -libs_exec_lib_files(rpm_script_t) -libs_domtrans_ldconfig(rpm_script_t) - -logging_send_syslog_msg(rpm_script_t) - -miscfiles_read_localization(rpm_script_t) - -modutils_domtrans_depmod(rpm_script_t) -modutils_domtrans_insmod(rpm_script_t) - -seutil_domtrans_loadpolicy(rpm_script_t) -seutil_domtrans_setfiles(rpm_script_t) -seutil_domtrans_semanage(rpm_script_t) - -userdom_use_all_users_fds(rpm_script_t) - -ifdef(`distro_redhat',` - optional_policy(` - mta_send_mail(rpm_script_t) - ') -') - -tunable_policy(`allow_execmem',` - allow rpm_script_t self:process execmem; -') - -optional_policy(` - bootloader_domtrans(rpm_script_t) -') - -optional_policy(` - dbus_system_bus_client(rpm_script_t) -') - -optional_policy(` - lvm_domtrans(rpm_script_t) -') - -optional_policy(` - ntp_domtrans(rpm_script_t) -') - -optional_policy(` - tzdata_domtrans(rpm_t) - tzdata_domtrans(rpm_script_t) -') - -optional_policy(` - udev_domtrans(rpm_script_t) -') - -optional_policy(` - unconfined_domain(rpm_script_t) - unconfined_domtrans(rpm_script_t) - - optional_policy(` - java_domtrans_unconfined(rpm_script_t) - ') - - optional_policy(` - mono_domtrans(rpm_script_t) - ') -') - -optional_policy(` - usermanage_domtrans_groupadd(rpm_script_t) - usermanage_domtrans_useradd(rpm_script_t) -') diff --git a/policy/modules/admin/sectoolm.fc b/policy/modules/admin/sectoolm.fc deleted file mode 100644 index 1ed68709e..000000000 --- a/policy/modules/admin/sectoolm.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) - -/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) -/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/policy/modules/admin/sectoolm.if b/policy/modules/admin/sectoolm.if deleted file mode 100644 index 900745118..000000000 --- a/policy/modules/admin/sectoolm.if +++ /dev/null @@ -1,2 +0,0 @@ -## Sectool security audit tool - diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te deleted file mode 100644 index c8ef84b90..000000000 --- a/policy/modules/admin/sectoolm.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(sectoolm, 1.0.0) - -######################################## -# -# Declarations -# - -type sectoolm_t; -type sectoolm_exec_t; -dbus_system_domain(sectoolm_t, sectoolm_exec_t) - -type sectool_var_lib_t; -files_type(sectool_var_lib_t) - -type sectool_var_log_t; -logging_log_file(sectool_var_log_t) - -type sectool_tmp_t; -files_tmp_file(sectool_tmp_t) - -######################################## -# -# sectool local policy -# - -allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; -allow sectoolm_t self:process { getcap getsched signull setsched }; -dontaudit sectoolm_t self:process { execstack execmem }; -allow sectoolm_t self:fifo_file rw_fifo_file_perms; -allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; - -manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) - -manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) -manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) -files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) - -manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t) -logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) - -kernel_read_net_sysctls(sectoolm_t) -kernel_read_network_state(sectoolm_t) -kernel_read_kernel_sysctls(sectoolm_t) - -corecmd_exec_bin(sectoolm_t) -corecmd_exec_shell(sectoolm_t) - -dev_read_sysfs(sectoolm_t) -dev_read_urand(sectoolm_t) -dev_getattr_all_blk_files(sectoolm_t) -dev_getattr_all_chr_files(sectoolm_t) - -domain_getattr_all_domains(sectoolm_t) -domain_read_all_domains_state(sectoolm_t) - -files_getattr_all_pipes(sectoolm_t) -files_getattr_all_sockets(sectoolm_t) -files_read_all_files(sectoolm_t) -files_read_all_symlinks(sectoolm_t) - -fs_getattr_all_fs(sectoolm_t) -fs_list_noxattr_fs(sectoolm_t) - -selinux_validate_context(sectoolm_t) - -# tcp_wrappers test -application_exec_all(sectoolm_t) - -auth_use_nsswitch(sectoolm_t) - -# tests related to network -hostname_exec(sectoolm_t) - -# tests related to network -iptables_domtrans(sectoolm_t) - -libs_exec_ld_so(sectoolm_t) - -logging_send_syslog_msg(sectoolm_t) - -# tests related to network -sysnet_domtrans_ifconfig(sectoolm_t) - -userdom_manage_user_tmp_sockets(sectoolm_t) - -optional_policy(` - mount_exec(sectoolm_t) -') - -optional_policy(` - policykit_dbus_chat(sectoolm_t) -') - -# suid test using -# rpm -Vf option -optional_policy(` - prelink_domtrans(sectoolm_t) -') - -optional_policy(` - rpm_exec(sectoolm_t) - rpm_dontaudit_manage_db(sectoolm_t) -') - diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc deleted file mode 100644 index 48d13634b..000000000 --- a/policy/modules/admin/shorewall.fc +++ /dev/null @@ -1,16 +0,0 @@ -/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) -/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) - -/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) -/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) - -/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) -/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) - -/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - -/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) - -/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if deleted file mode 100644 index 781ad7e8a..000000000 --- a/policy/modules/admin/shorewall.if +++ /dev/null @@ -1,202 +0,0 @@ -## Shoreline Firewall high-level tool for configuring netfilter - -######################################## -## -## Execute a domain transition to run shorewall. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`shorewall_domtrans',` - gen_require(` - type shorewall_t, shorewall_exec_t; - ') - - domtrans_pattern($1, shorewall_exec_t, shorewall_t) -') - -###################################### -## -## Execute a domain transition to run shorewall. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`shorewall_lib_domtrans',` - gen_require(` - type shorewall_t, shorewall_var_lib_t; - ') - - domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) -') - -####################################### -## -## Read shorewall etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_config',` - gen_require(` - type shorewall_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) -') - -####################################### -## -## Read shorewall PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -####################################### -## -## Read and write shorewall PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_rw_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -###################################### -## -## Read shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_lib_files',` - gen_require(` - type shorewall_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## -## Read and write shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_rw_lib_files',` - gen_require(` - type shorewall_var_lib_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## -## Read shorewall tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_tmp_files',` - gen_require(` - type shorewall_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) -') - -####################################### -## -## All of the rules required to administrate -## an shorewall environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`shorewall_admin',` - gen_require(` - type shorewall_t, shorewall_lock_t; - type shorewall_log_t; - type shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t, shorewall_etc_t; - ') - - allow $1 shorewall_t:process { ptrace signal_perms }; - ps_process_pattern($1, shorewall_t) - - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 shorewall_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, shorewall_etc_t) - - files_list_locks($1) - admin_pattern($1, shorewall_lock_t) - - logging_list_logs($1) - admin_pattern($1, shorewall_log_t) - - files_list_var_lib($1) - admin_pattern($1, shorewall_var_lib_t) - - files_list_tmp($1) - admin_pattern($1, shorewall_tmp_t) -') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te deleted file mode 100644 index 4723c6b9b..000000000 --- a/policy/modules/admin/shorewall.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(shorewall, 1.3.0) - -######################################## -# -# Declarations -# - -type shorewall_t; -type shorewall_exec_t; -init_daemon_domain(shorewall_t, shorewall_exec_t) - -type shorewall_initrc_exec_t; -init_script_file(shorewall_initrc_exec_t) - -# etc files -type shorewall_etc_t; -files_config_file(shorewall_etc_t) - -# lock files -type shorewall_lock_t; -files_lock_file(shorewall_lock_t) - -# tmp files -type shorewall_tmp_t; -files_tmp_file(shorewall_tmp_t) - -# var/lib files -type shorewall_var_lib_t; -files_type(shorewall_var_lib_t) -domain_entry_file(shorewall_t, shorewall_var_lib_t) - -type shorewall_log_t; -logging_log_file(shorewall_log_t) - -######################################## -# -# shorewall local policy -# - -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; -dontaudit shorewall_t self:capability sys_tty_config; -allow shorewall_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) -list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) - -manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) -files_lock_filetrans(shorewall_t, shorewall_lock_t, file) - -manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) - -manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) - -exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) -files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) - -allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; - -kernel_read_kernel_sysctls(shorewall_t) -kernel_read_network_state(shorewall_t) -kernel_read_system_state(shorewall_t) -kernel_rw_net_sysctls(shorewall_t) - -corecmd_exec_bin(shorewall_t) -corecmd_exec_shell(shorewall_t) - -dev_read_urand(shorewall_t) - -domain_read_all_domains_state(shorewall_t) - -files_getattr_kernel_modules(shorewall_t) -files_read_etc_files(shorewall_t) -files_read_usr_files(shorewall_t) -files_search_kernel_modules(shorewall_t) - -fs_getattr_all_fs(shorewall_t) - -init_rw_utmp(shorewall_t) - -logging_send_syslog_msg(shorewall_t) - -miscfiles_read_localization(shorewall_t) - -sysnet_domtrans_ifconfig(shorewall_t) - -userdom_dontaudit_list_user_home_dirs(shorewall_t) - -optional_policy(` - hostname_exec(shorewall_t) -') - -optional_policy(` - iptables_domtrans(shorewall_t) -') - -optional_policy(` - modutils_domtrans_insmod(shorewall_t) -') - -optional_policy(` - ulogd_search_log(shorewall_t) -') diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc deleted file mode 100644 index 97671a330..000000000 --- a/policy/modules/admin/shutdown.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) - -/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if deleted file mode 100644 index d0604cfe4..000000000 --- a/policy/modules/admin/shutdown.if +++ /dev/null @@ -1,69 +0,0 @@ -## System shutdown command - -######################################## -## -## Execute a domain transition to run shutdown. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`shutdown_domtrans',` - gen_require(` - type shutdown_t, shutdown_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, shutdown_exec_t, shutdown_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit shutdown_t $1:socket_class_set { read write }; - dontaudit shutdown_t $1:fifo_file { read write }; - ') -') - -######################################## -## -## Execute shutdown in the shutdown domain, and -## allow the specified role the shutdown domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`shutdown_run',` - gen_require(` - type shutdown_t; - ') - - shutdown_domtrans($1) - role $2 types shutdown_t; -') - -######################################## -## -## Get attributes of shutdown executable. -## -## -## -## Domain allowed access. -## -## -# -interface(`shutdown_getattr_exec_files',` - gen_require(` - type shutdown_exec_t; - ') - - corecmd_search_bin($1) - allow $1 shutdown_exec_t:file getattr_file_perms; -') diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te deleted file mode 100644 index 8966ec954..000000000 --- a/policy/modules/admin/shutdown.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(shutdown, 1.1.0) - -######################################## -# -# Declarations -# - -type shutdown_t; -type shutdown_exec_t; -application_domain(shutdown_t, shutdown_exec_t) -role system_r types shutdown_t; - -type shutdown_etc_t; -files_config_file(shutdown_etc_t) - -type shutdown_var_run_t; -files_pid_file(shutdown_var_run_t) - -######################################## -# -# shutdown local policy -# - -allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; -allow shutdown_t self:process { fork signal signull }; - -allow shutdown_t self:fifo_file manage_fifo_file_perms; -allow shutdown_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) -files_etc_filetrans(shutdown_t, shutdown_etc_t, file) - -manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) -files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) - -domain_use_interactive_fds(shutdown_t) - -files_read_etc_files(shutdown_t) -files_read_generic_pids(shutdown_t) - -term_use_all_terms(shutdown_t) - -auth_use_nsswitch(shutdown_t) -auth_write_login_records(shutdown_t) - -init_dontaudit_write_utmp(shutdown_t) -init_read_utmp(shutdown_t) -init_stream_connect(shutdown_t) -init_telinit(shutdown_t) - -logging_search_logs(shutdown_t) -logging_send_audit_msgs(shutdown_t) - -miscfiles_read_localization(shutdown_t) - -optional_policy(` - dbus_system_bus_client(shutdown_t) - dbus_connect_system_bus(shutdown_t) -') - -optional_policy(` - xserver_dontaudit_write_log(shutdown_t) -') diff --git a/policy/modules/admin/smoltclient.fc b/policy/modules/admin/smoltclient.fc deleted file mode 100644 index 47cc44053..000000000 --- a/policy/modules/admin/smoltclient.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) - diff --git a/policy/modules/admin/smoltclient.if b/policy/modules/admin/smoltclient.if deleted file mode 100644 index a54079b7c..000000000 --- a/policy/modules/admin/smoltclient.if +++ /dev/null @@ -1 +0,0 @@ -## The Fedora hardware profiler client diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te deleted file mode 100644 index bc00875d0..000000000 --- a/policy/modules/admin/smoltclient.te +++ /dev/null @@ -1,68 +0,0 @@ -policy_module(smoltclient, 1.1.0) - -######################################## -# -# Declarations -# - -type smoltclient_t; -type smoltclient_exec_t; -application_domain(smoltclient_t, smoltclient_exec_t) -cron_system_entry(smoltclient_t, smoltclient_exec_t) - -type smoltclient_tmp_t; -files_tmp_file(smoltclient_tmp_t) - -######################################## -# -# Local policy -# - -allow smoltclient_t self:process { setsched getsched }; - -allow smoltclient_t self:fifo_file rw_fifo_file_perms; -allow smoltclient_t self:tcp_socket create_socket_perms; -allow smoltclient_t self:udp_socket create_socket_perms; - -can_exec(smoltclient_t, smoltclient_tmp_t) -manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file }) - -kernel_read_system_state(smoltclient_t) -kernel_read_network_state(smoltclient_t) -kernel_read_kernel_sysctls(smoltclient_t) - -corecmd_exec_bin(smoltclient_t) -corecmd_exec_shell(smoltclient_t) - -corenet_tcp_connect_http_port(smoltclient_t) - -dev_read_sysfs(smoltclient_t) - -fs_getattr_all_fs(smoltclient_t) -fs_getattr_all_dirs(smoltclient_t) -fs_list_auto_mountpoints(smoltclient_t) - -files_getattr_generic_locks(smoltclient_t) -files_read_etc_files(smoltclient_t) -files_read_usr_files(smoltclient_t) - -auth_use_nsswitch(smoltclient_t) - -logging_send_syslog_msg(smoltclient_t) - -miscfiles_read_localization(smoltclient_t) - -optional_policy(` - dbus_system_bus_client(smoltclient_t) -') - -optional_policy(` - hal_dbus_chat(smoltclient_t) -') - -optional_policy(` - rpm_exec(smoltclient_t) - rpm_read_db(smoltclient_t) -') diff --git a/policy/modules/admin/sosreport.fc b/policy/modules/admin/sosreport.fc deleted file mode 100644 index a40478eb3..000000000 --- a/policy/modules/admin/sosreport.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if deleted file mode 100644 index 94c01b54b..000000000 --- a/policy/modules/admin/sosreport.if +++ /dev/null @@ -1,129 +0,0 @@ -## sosreport - Generate debugging information for system - -######################################## -## -## Execute a domain transition to run sosreport. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sosreport_domtrans',` - gen_require(` - type sosreport_t, sosreport_exec_t; - ') - - domtrans_pattern($1, sosreport_exec_t, sosreport_t) -') - -######################################## -## -## Execute sosreport in the sosreport domain, and -## allow the specified role the sosreport domain. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# -interface(`sosreport_run',` - gen_require(` - type sosreport_t; - ') - - sosreport_domtrans($1) - role $2 types sosreport_t; -') - -######################################## -## -## Role access for sosreport -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`sosreport_role',` - gen_require(` - type sosreport_t; - ') - - role $1 types sosreport_t; - - sosreport_domtrans($2) - - ps_process_pattern($2, sosreport_t) - allow $2 sosreport_t:process signal; -') - -######################################## -## -## Allow the specified domain to read -## sosreport tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sosreport_read_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') - -######################################## -## -## Append sosreport tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sosreport_append_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') - -######################################## -## -## Delete sosreport tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sosreport_delete_tmp_files',` - gen_require(` - type sosreport_tmp_t; - ') - - files_delete_tmp_dir_entry($1) - delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -') diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te deleted file mode 100644 index ebaff2f4c..000000000 --- a/policy/modules/admin/sosreport.te +++ /dev/null @@ -1,148 +0,0 @@ -policy_module(sosreport, 1.1.0) - -######################################## -# -# Declarations -# - -type sosreport_t; -type sosreport_exec_t; -application_domain(sosreport_t, sosreport_exec_t) -role system_r types sosreport_t; - -type sosreport_tmp_t; -files_tmp_file(sosreport_tmp_t) - -type sosreport_tmpfs_t; -files_tmpfs_file(sosreport_tmpfs_t) - -######################################## -# -# sosreport local policy -# - -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; -allow sosreport_t self:process { setsched signull }; -allow sosreport_t self:fifo_file rw_fifo_file_perms; -allow sosreport_t self:tcp_socket create_stream_socket_perms; -allow sosreport_t self:udp_socket create_socket_perms; -allow sosreport_t self:unix_dgram_socket create_socket_perms; -allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; -allow sosreport_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) - -manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) -fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) - -kernel_read_network_state(sosreport_t) -kernel_read_all_sysctls(sosreport_t) -kernel_read_software_raid_state(sosreport_t) -kernel_search_debugfs(sosreport_t) -kernel_read_messages(sosreport_t) - -corecmd_exec_all_executables(sosreport_t) - -dev_getattr_all_chr_files(sosreport_t) -dev_getattr_all_blk_files(sosreport_t) -dev_getattr_mtrr_dev(sosreport_t) -dev_read_rand(sosreport_t) -dev_read_urand(sosreport_t) -dev_read_raw_memory(sosreport_t) -dev_read_sysfs(sosreport_t) - -domain_getattr_all_domains(sosreport_t) -domain_read_all_domains_state(sosreport_t) -domain_getattr_all_sockets(sosreport_t) -domain_getattr_all_pipes(sosreport_t) -domain_signull_all_domains(sosreport_t) - -files_getattr_all_sockets(sosreport_t) -files_exec_etc_files(sosreport_t) -files_list_all(sosreport_t) -files_read_config_files(sosreport_t) -files_read_etc_files(sosreport_t) -files_read_generic_tmp_files(sosreport_t) -files_read_usr_files(sosreport_t) -files_read_var_lib_files(sosreport_t) -files_read_var_symlinks(sosreport_t) -files_read_kernel_modules(sosreport_t) -files_read_all_symlinks(sosreport_t) -# for blkid.tab -files_manage_etc_runtime_files(sosreport_t) -files_etc_filetrans_etc_runtime(sosreport_t, file) - -fs_getattr_all_fs(sosreport_t) -fs_list_inotifyfs(sosreport_t) - -# some config files do not have configfile attribute -# sosreport needs to read various files on system -auth_read_all_files_except_auth_files(sosreport_t) -auth_use_nsswitch(sosreport_t) - -init_domtrans_script(sosreport_t) - -libs_domtrans_ldconfig(sosreport_t) - -logging_read_all_logs(sosreport_t) -logging_send_syslog_msg(sosreport_t) - -miscfiles_read_localization(sosreport_t) - -# needed by modinfo -modutils_read_module_deps(sosreport_t) - -sysnet_read_config(sosreport_t) - -optional_policy(` - abrt_manage_pid_files(sosreport_t) -') - -optional_policy(` - cups_stream_connect(sosreport_t) -') - -optional_policy(` - dmesg_domtrans(sosreport_t) -') - -optional_policy(` - fstools_domtrans(sosreport_t) -') - -optional_policy(` - dbus_system_bus_client(sosreport_t) - - optional_policy(` - hal_dbus_chat(sosreport_t) - ') -') - -optional_policy(` - lvm_domtrans(sosreport_t) -') - -optional_policy(` - mount_domtrans(sosreport_t) -') - -optional_policy(` - pulseaudio_stream_connect(sosreport_t) -') - -optional_policy(` - rpm_exec(sosreport_t) - rpm_dontaudit_manage_db(sosreport_t) - rpm_read_db(sosreport_t) -') - -optional_policy(` - xserver_stream_connect(sosreport_t) -') - -optional_policy(` - unconfined_domain(sosreport_t) -') diff --git a/policy/modules/admin/sxid.fc b/policy/modules/admin/sxid.fc deleted file mode 100644 index bc3797bc6..000000000 --- a/policy/modules/admin/sxid.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0) -/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0) - -/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0) -/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0) -/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0) diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if deleted file mode 100644 index dd8ac62e9..000000000 --- a/policy/modules/admin/sxid.if +++ /dev/null @@ -1,22 +0,0 @@ -## SUID/SGID program monitoring - -######################################## -## -## Allow the specified domain to read -## sxid log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sxid_read_log',` - gen_require(` - type sxid_log_t; - ') - - logging_search_logs($1) - allow $1 sxid_log_t:file read_file_perms; -') diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te deleted file mode 100644 index 045fb8624..000000000 --- a/policy/modules/admin/sxid.te +++ /dev/null @@ -1,97 +0,0 @@ -policy_module(sxid, 1.6.0) - -######################################## -# -# Declarations -# - -type sxid_t; -type sxid_exec_t; -application_domain(sxid_t, sxid_exec_t) - -type sxid_log_t; -logging_log_file(sxid_log_t) - -type sxid_tmp_t; -files_tmp_file(sxid_tmp_t) - -######################################## -# -# Local policy -# - -allow sxid_t self:capability { dac_override dac_read_search fsetid }; -dontaudit sxid_t self:capability { setuid setgid sys_tty_config }; -allow sxid_t self:process signal_perms; -allow sxid_t self:fifo_file rw_fifo_file_perms; -allow sxid_t self:tcp_socket create_stream_socket_perms; -allow sxid_t self:udp_socket create_socket_perms; - -allow sxid_t sxid_log_t:file manage_file_perms; -logging_log_filetrans(sxid_t, sxid_log_t, file) - -manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) -manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t) -files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir }) - -kernel_read_system_state(sxid_t) -kernel_read_kernel_sysctls(sxid_t) - -corecmd_exec_bin(sxid_t) -corecmd_exec_shell(sxid_t) - -corenet_all_recvfrom_unlabeled(sxid_t) -corenet_all_recvfrom_netlabel(sxid_t) -corenet_tcp_sendrecv_generic_if(sxid_t) -corenet_udp_sendrecv_generic_if(sxid_t) -corenet_tcp_sendrecv_generic_node(sxid_t) -corenet_udp_sendrecv_generic_node(sxid_t) -corenet_tcp_sendrecv_all_ports(sxid_t) -corenet_udp_sendrecv_all_ports(sxid_t) - -dev_read_sysfs(sxid_t) -dev_getattr_all_blk_files(sxid_t) -dev_getattr_all_chr_files(sxid_t) - -domain_use_interactive_fds(sxid_t) - -files_list_all(sxid_t) -files_getattr_all_symlinks(sxid_t) -files_getattr_all_pipes(sxid_t) -files_getattr_all_sockets(sxid_t) - -fs_getattr_xattr_fs(sxid_t) -fs_search_auto_mountpoints(sxid_t) -fs_list_all(sxid_t) - -term_dontaudit_use_console(sxid_t) - -auth_read_all_files_except_auth_files(sxid_t) -auth_dontaudit_getattr_shadow(sxid_t) - -init_use_fds(sxid_t) -init_use_script_ptys(sxid_t) - -logging_send_syslog_msg(sxid_t) - -miscfiles_read_localization(sxid_t) - -mount_exec(sxid_t) - -sysnet_read_config(sxid_t) - -userdom_dontaudit_use_unpriv_user_fds(sxid_t) - -cron_system_entry(sxid_t, sxid_exec_t) - -optional_policy(` - mta_send_mail(sxid_t) -') - -optional_policy(` - seutil_sigchld_newrole(sxid_t) -') - -optional_policy(` - udev_read_db(sxid_t) -') diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc deleted file mode 100644 index 81077dbc5..000000000 --- a/policy/modules/admin/tmpreaper.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) -/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/policy/modules/admin/tmpreaper.if b/policy/modules/admin/tmpreaper.if deleted file mode 100644 index 8dfbd809a..000000000 --- a/policy/modules/admin/tmpreaper.if +++ /dev/null @@ -1,21 +0,0 @@ -## Manage temporary directory sizes and file ages - -######################################## -## -## Execute tmpreaper in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`tmpreaper_exec',` - gen_require(` - type tmpreaper_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, tmpreaper_exec_t) -') diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te deleted file mode 100644 index 6a5004b91..000000000 --- a/policy/modules/admin/tmpreaper.te +++ /dev/null @@ -1,74 +0,0 @@ -policy_module(tmpreaper, 1.5.0) - -######################################## -# -# Declarations -# - -type tmpreaper_t; -type tmpreaper_exec_t; -application_domain(tmpreaper_t, tmpreaper_exec_t) -role system_r types tmpreaper_t; - -######################################## -# -# Local Policy -# - -allow tmpreaper_t self:process { fork sigchld }; -allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; - -dev_read_urand(tmpreaper_t) - -fs_getattr_xattr_fs(tmpreaper_t) - -files_read_etc_files(tmpreaper_t) -files_read_var_lib_files(tmpreaper_t) -files_purge_tmp(tmpreaper_t) -# why does it need setattr? -files_setattr_all_tmp_dirs(tmpreaper_t) -files_getattr_all_dirs(tmpreaper_t) -files_getattr_all_files(tmpreaper_t) - -mls_file_read_all_levels(tmpreaper_t) -mls_file_write_all_levels(tmpreaper_t) - -logging_send_syslog_msg(tmpreaper_t) - -miscfiles_read_localization(tmpreaper_t) -miscfiles_delete_man_pages(tmpreaper_t) - -cron_system_entry(tmpreaper_t, tmpreaper_exec_t) - -ifdef(`distro_redhat',` - userdom_list_user_home_content(tmpreaper_t) - userdom_delete_user_home_content_dirs(tmpreaper_t) - userdom_delete_user_home_content_files(tmpreaper_t) - userdom_delete_user_home_content_symlinks(tmpreaper_t) -') - -optional_policy(` - amavis_manage_spool_files(tmpreaper_t) -') - -optional_policy(` - apache_list_cache(tmpreaper_t) - apache_delete_cache_files(tmpreaper_t) - apache_setattr_cache_dirs(tmpreaper_t) -') - -optional_policy(` - kismet_manage_log(tmpreaper_t) -') - -optional_policy(` - lpd_manage_spool(tmpreaper_t) -') - -optional_policy(` - rpm_manage_cache(tmpreaper_t) -') - -optional_policy(` - unconfined_domain(tmpreaper_t) -') diff --git a/policy/modules/admin/tripwire.fc b/policy/modules/admin/tripwire.fc deleted file mode 100644 index 962662fd5..000000000 --- a/policy/modules/admin/tripwire.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0) - -/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0) -/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0) -/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0) -/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0) - -/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0) -/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0) diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if deleted file mode 100644 index 27abd8806..000000000 --- a/policy/modules/admin/tripwire.if +++ /dev/null @@ -1,190 +0,0 @@ -## Tripwire file integrity checker. -## -##

-## Tripwire file integrity checker. -##

-##

-## NOTE: Tripwire creates temp file in its current working directory. -## This policy does not allow write access to home directories, so -## users will need to either cd to a directory where they have write -## permission, or set the TEMPDIRECTORY variable in the tripwire config -## file. The latter is preferable, as then the file_type_auto_trans -## rules will kick in and label the files as private to tripwire. -##

-## - -######################################## -## -## Execute tripwire in the tripwire domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_tripwire',` - gen_require(` - type tripwire_t, tripwire_exec_t; - ') - - domtrans_pattern($1, tripwire_exec_t, tripwire_t) -') - -######################################## -## -## Execute tripwire in the tripwire domain, and -## allow the specified role the tripwire domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_tripwire',` - gen_require(` - type tripwire_t; - ') - - tripwire_domtrans_tripwire($1) - role $2 types tripwire_t; -') - -######################################## -## -## Execute twadmin in the twadmin domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_twadmin',` - gen_require(` - type twadmin_t, twadmin_exec_t; - ') - - domtrans_pattern($1, twadmin_exec_t, twadmin_t) -') - -######################################## -## -## Execute twadmin in the twadmin domain, and -## allow the specified role the twadmin domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_twadmin',` - gen_require(` - type twadmin_t; - ') - - tripwire_domtrans_twadmin($1) - role $2 types twadmin_t; -') - -######################################## -## -## Execute twprint in the twprint domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_twprint',` - gen_require(` - type twprint_t, twprint_exec_t; - ') - - domtrans_pattern($1, twprint_exec_t, twprint_t) -') - -######################################## -## -## Execute twprint in the twprint domain, and -## allow the specified role the twprint domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_twprint',` - gen_require(` - type twprint_t; - ') - - tripwire_domtrans_twprint($1) - role $2 types twprint_t; -') - -######################################## -## -## Execute siggen in the siggen domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tripwire_domtrans_siggen',` - gen_require(` - type siggen_t, siggen_exec_t; - ') - - domtrans_pattern($1, siggen_exec_t, siggen_t) -') - -######################################## -## -## Execute siggen in the siggen domain, and -## allow the specified role the siggen domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tripwire_run_siggen',` - gen_require(` - type siggen_t; - ') - - tripwire_domtrans_siggen($1) - role $2 types siggen_t; -') diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te deleted file mode 100644 index 2ae8b62cb..000000000 --- a/policy/modules/admin/tripwire.te +++ /dev/null @@ -1,146 +0,0 @@ -policy_module(tripwire, 1.2.0) - -######################################## -# -# Declarations -# - -type siggen_t; -type siggen_exec_t; -application_domain(siggen_t, siggen_exec_t) - -type tripwire_t; -type tripwire_exec_t; -application_domain(tripwire_t, tripwire_exec_t) -role system_r types tripwire_t; - -type tripwire_etc_t; -files_config_file(tripwire_etc_t) - -type tripwire_report_t; -files_type(tripwire_report_t) - -type tripwire_tmp_t; -files_tmp_file(tripwire_tmp_t) - -type tripwire_var_lib_t; -files_type(tripwire_var_lib_t) - -type twadmin_t; -type twadmin_exec_t; -application_domain(twadmin_t, twadmin_exec_t) - -type twprint_t; -type twprint_exec_t; -application_domain(twprint_t, twprint_exec_t) - -######################################## -# -# Tripwire local policy -# - -allow tripwire_t self:capability { setgid setuid dac_override }; - -allow tripwire_t tripwire_etc_t:dir list_dir_perms; -read_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t) -read_lnk_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t) -files_search_etc(tripwire_t) - -# Tripwire report files -manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) -manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) -manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t) - -manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t) -files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t) -files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file) - -kernel_read_system_state(tripwire_t) -kernel_read_network_state(tripwire_t) -kernel_read_software_raid_state(tripwire_t) -kernel_getattr_core_if(tripwire_t) -kernel_getattr_message_if(tripwire_t) -kernel_read_kernel_sysctls(tripwire_t) - -corecmd_exec_shell(tripwire_t) -corecmd_exec_bin(tripwire_t) - -domain_use_interactive_fds(tripwire_t) - -files_read_all_files(tripwire_t) -files_read_all_symlinks(tripwire_t) -files_getattr_all_pipes(tripwire_t) -files_getattr_all_sockets(tripwire_t) - -logging_send_syslog_msg(tripwire_t) - -userdom_use_user_terminals(tripwire_t) - -optional_policy(` - cron_system_entry(tripwire_t, tripwire_exec_t) -') - -######################################## -# -# Twadmin local policy -# - -manage_dirs_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) -manage_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) -manage_lnk_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t) - -domain_use_interactive_fds(twadmin_t) - -logging_send_syslog_msg(twadmin_t) - -miscfiles_read_localization(twadmin_t) - -userdom_use_user_terminals(twadmin_t) - -######################################## -# -# Twprint local policy -# - -allow twprint_t tripwire_etc_t:dir list_dir_perms; -read_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t) -read_lnk_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t) - -allow twprint_t tripwire_report_t:dir list_dir_perms; -read_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t) -read_lnk_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t) - -allow twprint_t tripwire_var_lib_t:dir list_dir_perms; -read_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t) -read_lnk_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t) -files_search_var_lib(twprint_t) - -domain_use_interactive_fds(twprint_t) - -logging_send_syslog_msg(twprint_t) - -miscfiles_read_localization(twprint_t) - -userdom_use_user_terminals(twprint_t) - -######################################## -# -# Siggen local policy -# - -domain_use_interactive_fds(siggen_t) - -# Need permission to read files -files_read_all_files(siggen_t) - -logging_send_syslog_msg(siggen_t) - -miscfiles_read_localization(siggen_t) - -userdom_use_user_terminals(siggen_t) diff --git a/policy/modules/admin/tzdata.fc b/policy/modules/admin/tzdata.fc deleted file mode 100644 index 04b854883..000000000 --- a/policy/modules/admin/tzdata.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0) diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if deleted file mode 100644 index 01c6c864b..000000000 --- a/policy/modules/admin/tzdata.if +++ /dev/null @@ -1,45 +0,0 @@ -## Time zone updater - -######################################## -## -## Execute a domain transition to run tzdata. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tzdata_domtrans',` - gen_require(` - type tzdata_t, tzdata_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tzdata_exec_t, tzdata_t) -') - -######################################## -## -## Execute the tzdata program in the tzdata domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the tzdata domain. -## -## -## -# -interface(`tzdata_run',` - gen_require(` - type tzdata_t; - ') - - tzdata_domtrans($1) - role $2 types tzdata_t; -') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te deleted file mode 100644 index d0f2a6404..000000000 --- a/policy/modules/admin/tzdata.te +++ /dev/null @@ -1,36 +0,0 @@ -policy_module(tzdata, 1.4.0) - -######################################## -# -# Declarations -# - -type tzdata_t; -type tzdata_exec_t; -init_daemon_domain(tzdata_t, tzdata_exec_t) -application_domain(tzdata_t, tzdata_exec_t) - -######################################## -# -# tzdata local policy -# - -files_read_etc_files(tzdata_t) -files_search_spool(tzdata_t) - -fs_getattr_xattr_fs(tzdata_t) - -term_dontaudit_list_ptys(tzdata_t) - -locallogin_dontaudit_use_fds(tzdata_t) - -miscfiles_read_localization(tzdata_t) -miscfiles_manage_localization(tzdata_t) -miscfiles_etc_filetrans_localization(tzdata_t) - -userdom_use_user_terminals(tzdata_t) - -# tzdata looks for /var/spool/postfix/etc/localtime. -optional_policy(` - postfix_search_spool(tzdata_t) -') diff --git a/policy/modules/admin/updfstab.fc b/policy/modules/admin/updfstab.fc deleted file mode 100644 index e534c88ba..000000000 --- a/policy/modules/admin/updfstab.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0) -/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0) diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if deleted file mode 100644 index 4d4b60e03..000000000 --- a/policy/modules/admin/updfstab.if +++ /dev/null @@ -1,21 +0,0 @@ -## Red Hat utility to change /etc/fstab. - -######################################## -## -## Execute updfstab in the updfstab domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`updfstab_domtrans',` - gen_require(` - type updfstab_t, updfstab_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, updfstab_exec_t, updfstab_t) -') diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te deleted file mode 100644 index ef12ed52e..000000000 --- a/policy/modules/admin/updfstab.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(updfstab, 1.5.0) - -######################################## -# -# Declarations -# - -type updfstab_t; -type updfstab_exec_t; -init_system_domain(updfstab_t, updfstab_exec_t) - -######################################## -# -# Local policy -# - -allow updfstab_t self:capability dac_override; -dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; -allow updfstab_t self:process signal_perms; -allow updfstab_t self:fifo_file rw_fifo_file_perms; - -kernel_use_fds(updfstab_t) -kernel_read_kernel_sysctls(updfstab_t) -kernel_dontaudit_write_kernel_sysctl(updfstab_t) -# for /proc/partitions -kernel_read_system_state(updfstab_t) -# cjp: why is this required -kernel_change_ring_buffer_level(updfstab_t) - -dev_read_sysfs(updfstab_t) -dev_manage_generic_symlinks(updfstab_t) - -fs_getattr_xattr_fs(updfstab_t) -fs_getattr_tmpfs(updfstab_t) -fs_getattr_tmpfs_dirs(updfstab_t) -fs_search_auto_mountpoints(updfstab_t) - -selinux_get_fs_mount(updfstab_t) -selinux_validate_context(updfstab_t) -selinux_compute_access_vector(updfstab_t) -selinux_compute_create_context(updfstab_t) -selinux_compute_relabel_context(updfstab_t) -selinux_compute_user_contexts(updfstab_t) - -storage_raw_read_fixed_disk(updfstab_t) -storage_raw_write_fixed_disk(updfstab_t) -storage_raw_read_removable_device(updfstab_t) -storage_raw_write_removable_device(updfstab_t) -storage_read_scsi_generic(updfstab_t) -storage_write_scsi_generic(updfstab_t) - -term_dontaudit_use_console(updfstab_t) - -corecmd_exec_bin(updfstab_t) - -domain_use_interactive_fds(updfstab_t) - -files_manage_mnt_files(updfstab_t) -files_manage_mnt_dirs(updfstab_t) -files_manage_mnt_symlinks(updfstab_t) -files_manage_etc_files(updfstab_t) -files_dontaudit_search_home(updfstab_t) -# for /etc/mtab -files_read_etc_runtime_files(updfstab_t) - -init_use_fds(updfstab_t) -init_use_script_ptys(updfstab_t) - -logging_send_syslog_msg(updfstab_t) -logging_search_logs(updfstab_t) - -miscfiles_read_localization(updfstab_t) - -seutil_read_config(updfstab_t) -seutil_read_default_contexts(updfstab_t) -seutil_read_file_contexts(updfstab_t) - -userdom_dontaudit_search_user_home_content(updfstab_t) -userdom_dontaudit_use_unpriv_user_fds(updfstab_t) - -optional_policy(` - auth_domtrans_pam_console(updfstab_t) -') - -optional_policy(` - init_dbus_chat_script(updfstab_t) - - dbus_system_bus_client(updfstab_t) -') - -optional_policy(` - fstools_getattr_swap_files(updfstab_t) -') - -optional_policy(` - hal_stream_connect(updfstab_t) - hal_dbus_chat(updfstab_t) -') - -optional_policy(` - modutils_read_module_config(updfstab_t) - modutils_exec_insmod(updfstab_t) - modutils_read_module_deps(updfstab_t) -') - -optional_policy(` - nscd_socket_use(updfstab_t) -') - -optional_policy(` - seutil_sigchld_newrole(updfstab_t) -') - -optional_policy(` - udev_read_db(updfstab_t) -') diff --git a/policy/modules/admin/usbmodules.fc b/policy/modules/admin/usbmodules.fc deleted file mode 100644 index a008efb57..000000000 --- a/policy/modules/admin/usbmodules.fc +++ /dev/null @@ -1,9 +0,0 @@ -# -# /sbin -# -/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) - -# -# /usr -# -/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if deleted file mode 100644 index b7eade34c..000000000 --- a/policy/modules/admin/usbmodules.if +++ /dev/null @@ -1,46 +0,0 @@ -## List kernel modules of USB devices - -######################################## -## -## Execute usbmodules in the usbmodules domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usbmodules_domtrans',` - gen_require(` - type usbmodules_t, usbmodules_exec_t; - ') - - domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) -') - -######################################## -## -## Execute usbmodules in the usbmodules domain, and -## allow the specified role the usbmodules domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`usbmodules_run',` - gen_require(` - type usbmodules_t; - ') - - usbmodules_domtrans($1) - role $2 types usbmodules_t; -') diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te deleted file mode 100644 index 74354da7e..000000000 --- a/policy/modules/admin/usbmodules.te +++ /dev/null @@ -1,47 +0,0 @@ -policy_module(usbmodules, 1.2.0) - -######################################## -# -# Declarations -# - -type usbmodules_t; -type usbmodules_exec_t; -init_system_domain(usbmodules_t, usbmodules_exec_t) -role system_r types usbmodules_t; - -######################################## -# -# Local policy -# - -kernel_list_proc(usbmodules_t) - -files_list_kernel_modules(usbmodules_t) - -dev_list_usbfs(usbmodules_t) -# allow usb device access -dev_rw_usbfs(usbmodules_t) - -files_list_etc(usbmodules_t) -# needs etc_t read access for the hotplug config, maybe should have a new type -files_read_etc_files(usbmodules_t) - -term_read_console(usbmodules_t) -term_write_console(usbmodules_t) - -init_use_fds(usbmodules_t) - -miscfiles_read_hwdata(usbmodules_t) - -modutils_read_module_deps(usbmodules_t) - -userdom_use_user_terminals(usbmodules_t) - -optional_policy(` - hotplug_read_config(usbmodules_t) -') - -optional_policy(` - logging_send_syslog_msg(usbmodules_t) -') diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 441cf226c..d4d853371 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -505,7 +505,9 @@ userdom_manage_user_home_content_files(useradd_t) userdom_home_filetrans_user_home_dir(useradd_t) userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) -mta_manage_spool(useradd_t) +optional_policy(` + mta_manage_spool(useradd_t) +') ifdef(`distro_redhat',` optional_policy(` diff --git a/policy/modules/admin/vbetool.fc b/policy/modules/admin/vbetool.fc deleted file mode 100644 index d00970f13..000000000 --- a/policy/modules/admin/vbetool.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0) diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if deleted file mode 100644 index f46ab176f..000000000 --- a/policy/modules/admin/vbetool.if +++ /dev/null @@ -1,45 +0,0 @@ -## run real-mode video BIOS code to alter hardware state - -######################################## -## -## Execute vbetool application in the vbetool domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vbetool_domtrans',` - gen_require(` - type vbetool_t, vbetool_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vbetool_exec_t, vbetool_t) -') - -######################################## -## -## Execute vbetool in the vbetool domain, and -## allow the specified role the vbetool domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`vbetool_run',` - gen_require(` - type vbetool_t; - ') - - vbetool_domtrans($1) - role $2 types vbetool_t; -') diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te deleted file mode 100644 index 001c93c72..000000000 --- a/policy/modules/admin/vbetool.te +++ /dev/null @@ -1,51 +0,0 @@ -policy_module(vbetool, 1.6.0) - -######################################## -# -# Declarations -# - -## -##

-## Ignore vbetool mmap_zero errors. -##

-## -gen_tunable(vbetool_mmap_zero_ignore, false) - -type vbetool_t; -type vbetool_exec_t; -init_system_domain(vbetool_t, vbetool_exec_t) - -######################################## -# -# Local policy -# - -allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; -allow vbetool_t self:process execmem; - -dev_wx_raw_memory(vbetool_t) -dev_read_raw_memory(vbetool_t) -dev_rwx_zero(vbetool_t) -dev_rw_sysfs(vbetool_t) -dev_rw_xserver_misc(vbetool_t) -dev_rw_mtrr(vbetool_t) - -domain_mmap_low(vbetool_t) - -mls_file_read_all_levels(vbetool_t) -mls_file_write_all_levels(vbetool_t) - -term_use_unallocated_ttys(vbetool_t) - -miscfiles_read_localization(vbetool_t) - -tunable_policy(`vbetool_mmap_zero_ignore',` - dontaudit vbetool_t self:memprotect mmap_zero; -') - -optional_policy(` - hal_rw_pid_files(vbetool_t) - hal_write_log(vbetool_t) - hal_dontaudit_append_lib_files(vbetool_t) -') diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc deleted file mode 100644 index 076dcc3e6..000000000 --- a/policy/modules/admin/vpn.fc +++ /dev/null @@ -1,13 +0,0 @@ -# -# sbin -# -/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -# -# /usr -# -/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if deleted file mode 100644 index 64f8cdc49..000000000 --- a/policy/modules/admin/vpn.if +++ /dev/null @@ -1,139 +0,0 @@ -## Virtual Private Networking client - -######################################## -## -## Execute VPN clients in the vpnc domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vpn_domtrans',` - gen_require(` - type vpnc_t, vpnc_exec_t; - ') - - domtrans_pattern($1, vpnc_exec_t, vpnc_t) -') - -######################################## -## -## Execute VPN clients in the vpnc domain, and -## allow the specified role the vpnc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`vpn_run',` - gen_require(` - type vpnc_t; - ') - - vpn_domtrans($1) - role $2 types vpnc_t; - sysnet_run_ifconfig(vpnc_t, $2) -') - -######################################## -## -## Send VPN clients the kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_kill',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process sigkill; -') - -######################################## -## -## Send generic signals to VPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_signal',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signal; -') - -######################################## -## -## Send signull to VPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_signull',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signull; -') - -######################################## -## -## Send and receive messages from -## Vpnc over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_dbus_chat',` - gen_require(` - type vpnc_t; - class dbus send_msg; - ') - - allow $1 vpnc_t:dbus send_msg; - allow vpnc_t $1:dbus send_msg; -') - -######################################## -## -## Relabelfrom from vpnc socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`vpn_relabelfrom_tun_socket',` - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:tun_socket relabelfrom; -') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te deleted file mode 100644 index ebf4b2643..000000000 --- a/policy/modules/admin/vpn.te +++ /dev/null @@ -1,121 +0,0 @@ -policy_module(vpn, 1.14.0) - -######################################## -# -# Declarations -# - -type vpnc_t; -type vpnc_exec_t; -application_domain(vpnc_t, vpnc_exec_t) -role system_r types vpnc_t; - -type vpnc_tmp_t; -files_tmp_file(vpnc_tmp_t) - -type vpnc_var_run_t; -files_pid_file(vpnc_var_run_t) - -######################################## -# -# Local policy -# - -allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; -allow vpnc_t self:process { getsched signal }; -allow vpnc_t self:fifo_file rw_fifo_file_perms; -allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -allow vpnc_t self:tcp_socket create_stream_socket_perms; -allow vpnc_t self:udp_socket create_socket_perms; -allow vpnc_t self:rawip_socket create_socket_perms; -allow vpnc_t self:unix_dgram_socket create_socket_perms; -allow vpnc_t self:unix_stream_socket create_socket_perms; -allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; -# cjp: this needs to be fixed -allow vpnc_t self:socket create_socket_perms; - -manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) - -manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir}) - -kernel_read_system_state(vpnc_t) -kernel_read_network_state(vpnc_t) -kernel_read_all_sysctls(vpnc_t) -kernel_request_load_module(vpnc_t) -kernel_rw_net_sysctls(vpnc_t) - -corenet_all_recvfrom_unlabeled(vpnc_t) -corenet_all_recvfrom_netlabel(vpnc_t) -corenet_tcp_sendrecv_generic_if(vpnc_t) -corenet_udp_sendrecv_generic_if(vpnc_t) -corenet_raw_sendrecv_generic_if(vpnc_t) -corenet_tcp_sendrecv_generic_node(vpnc_t) -corenet_udp_sendrecv_generic_node(vpnc_t) -corenet_raw_sendrecv_generic_node(vpnc_t) -corenet_tcp_sendrecv_all_ports(vpnc_t) -corenet_udp_sendrecv_all_ports(vpnc_t) -corenet_udp_bind_generic_node(vpnc_t) -corenet_udp_bind_generic_port(vpnc_t) -corenet_udp_bind_isakmp_port(vpnc_t) -corenet_udp_bind_ipsecnat_port(vpnc_t) -corenet_tcp_connect_all_ports(vpnc_t) -corenet_sendrecv_all_client_packets(vpnc_t) -corenet_sendrecv_isakmp_server_packets(vpnc_t) -corenet_sendrecv_generic_server_packets(vpnc_t) -corenet_rw_tun_tap_dev(vpnc_t) - -dev_read_rand(vpnc_t) -dev_read_urand(vpnc_t) -dev_read_sysfs(vpnc_t) - -domain_use_interactive_fds(vpnc_t) - -fs_getattr_xattr_fs(vpnc_t) -fs_getattr_tmpfs(vpnc_t) - -term_use_all_ptys(vpnc_t) -term_use_all_ttys(vpnc_t) - -corecmd_exec_all_executables(vpnc_t) - -files_exec_etc_files(vpnc_t) -files_read_etc_runtime_files(vpnc_t) -files_read_etc_files(vpnc_t) -files_dontaudit_search_home(vpnc_t) - -auth_use_nsswitch(vpnc_t) - -libs_exec_ld_so(vpnc_t) -libs_exec_lib_files(vpnc_t) - -locallogin_use_fds(vpnc_t) - -logging_send_syslog_msg(vpnc_t) -logging_dontaudit_search_logs(vpnc_t) - -miscfiles_read_localization(vpnc_t) - -seutil_dontaudit_search_config(vpnc_t) -seutil_use_newrole_fds(vpnc_t) - -sysnet_etc_filetrans_config(vpnc_t) -sysnet_manage_config(vpnc_t) - -userdom_use_all_users_fds(vpnc_t) -userdom_dontaudit_search_user_home_content(vpnc_t) - -optional_policy(` - dbus_system_bus_client(vpnc_t) - - optional_policy(` - networkmanager_dbus_chat(vpnc_t) - ') -') - -optional_policy(` - networkmanager_attach_tun_iface(vpnc_t) -') diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc deleted file mode 100644 index e802ed567..000000000 --- a/policy/modules/apps/ada.fc +++ /dev/null @@ -1,7 +0,0 @@ -# -# /usr -# -/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0) -/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if deleted file mode 100644 index 43ba21dc3..000000000 --- a/policy/modules/apps/ada.if +++ /dev/null @@ -1,45 +0,0 @@ -## GNAT Ada95 compiler - -######################################## -## -## Execute the ada program in the ada domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ada_domtrans',` - gen_require(` - type ada_t, ada_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ada_exec_t, ada_t) -') - -######################################## -## -## Execute ada in the ada domain, and -## allow the specified role the ada domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`ada_run',` - gen_require(` - type ada_t; - ') - - ada_domtrans($1) - role $2 types ada_t; -') diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te deleted file mode 100644 index 39c75fb48..000000000 --- a/policy/modules/apps/ada.te +++ /dev/null @@ -1,24 +0,0 @@ -policy_module(ada, 1.4.0) - -######################################## -# -# Declarations -# - -type ada_t; -type ada_exec_t; -application_domain(ada_t, ada_exec_t) -role system_r types ada_t; - -######################################## -# -# Local policy -# - -allow ada_t self:process { execstack execmem }; - -userdom_use_user_terminals(ada_t) - -optional_policy(` - unconfined_domain(ada_t) -') diff --git a/policy/modules/apps/authbind.fc b/policy/modules/apps/authbind.fc deleted file mode 100644 index 48cf11b4b..000000000 --- a/policy/modules/apps/authbind.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0) - -/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) diff --git a/policy/modules/apps/authbind.if b/policy/modules/apps/authbind.if deleted file mode 100644 index d28020f14..000000000 --- a/policy/modules/apps/authbind.if +++ /dev/null @@ -1,20 +0,0 @@ -## Tool for non-root processes to bind to reserved ports - -######################################## -## -## Use authbind to bind to a reserved port. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`authbind_domtrans',` - gen_require(` - type authbind_t, authbind_exec_t; - ') - - domtrans_pattern($1, authbind_exec_t, authbind_t) - allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; -') diff --git a/policy/modules/apps/authbind.te b/policy/modules/apps/authbind.te deleted file mode 100644 index b4285f76a..000000000 --- a/policy/modules/apps/authbind.te +++ /dev/null @@ -1,31 +0,0 @@ -policy_module(authbind, 1.1.0) - -######################################## -# -# Declarations -# - -type authbind_t; -type authbind_exec_t; -application_domain(authbind_t, authbind_exec_t) -role system_r types authbind_t; - -type authbind_etc_t; -files_config_file(authbind_etc_t) - -######################################## -# -# Local policy -# - -allow authbind_t self:capability net_bind_service; - -allow authbind_t authbind_etc_t:dir list_dir_perms; -exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) -read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t) - -files_list_etc(authbind_t) - -term_use_console(authbind_t) - -logging_send_syslog_msg(authbind_t) diff --git a/policy/modules/apps/awstats.fc b/policy/modules/apps/awstats.fc deleted file mode 100644 index 5f0fa49db..000000000 --- a/policy/modules/apps/awstats.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) -/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) -/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) - -/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if deleted file mode 100644 index 283ff0d19..000000000 --- a/policy/modules/apps/awstats.if +++ /dev/null @@ -1,42 +0,0 @@ -## -## AWStats is a free powerful and featureful tool that generates advanced -## web, streaming, ftp or mail server statistics, graphically. -## - -######################################## -## -## Read and write awstats unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`awstats_rw_pipes',` - gen_require(` - type awstats_t; - ') - - allow $1 awstats_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Execute awstats cgi scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`awstats_cgi_exec',` - gen_require(` - type httpd_awstats_script_exec_t, httpd_awstats_content_t; - ') - - allow $1 httpd_awstats_content_t:dir search_dir_perms; - allow $1 httpd_awstats_script_exec_t:dir search_dir_perms; - can_exec($1, httpd_awstats_script_exec_t) -') diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te deleted file mode 100644 index 6bd3ad3c4..000000000 --- a/policy/modules/apps/awstats.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(awstats, 1.4.0) - -######################################## -# -# Declarations -# - -type awstats_t; -type awstats_exec_t; -domain_type(awstats_t) -domain_entry_file(awstats_t, awstats_exec_t) -role system_r types awstats_t; - -type awstats_tmp_t; -files_tmp_file(awstats_tmp_t) - -type awstats_var_lib_t; -files_type(awstats_var_lib_t) - -apache_content_template(awstats) - -######################################## -# -# awstats policy -# - -awstats_rw_pipes(awstats_t) -awstats_cgi_exec(awstats_t) - -can_exec(awstats_t, awstats_exec_t) - -manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) -manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) -files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) - -manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) -files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file) - -# dontaudit access to /proc/meminfo -kernel_dontaudit_read_system_state(awstats_t) - -corecmd_exec_bin(awstats_t) -corecmd_exec_shell(awstats_t) - -dev_read_urand(awstats_t) - -files_read_etc_files(awstats_t) -# e.g. /usr/share/awstats/lang/awstats-en.txt -files_read_usr_files(awstats_t) -files_dontaudit_search_all_mountpoints(awstats_t) - -fs_list_inotifyfs(awstats_t) - -libs_read_lib_files(awstats_t) - -logging_read_generic_logs(awstats_t) - -miscfiles_read_localization(awstats_t) - -sysnet_dns_name_resolve(awstats_t) - -apache_read_log(awstats_t) - -optional_policy(` - cron_system_entry(awstats_t, awstats_exec_t) -') - -optional_policy(` - # dontaudit searching nscd pid directory - nscd_dontaudit_search_pid(awstats_t) -') - -optional_policy(` - squid_read_log(awstats_t) -') - -######################################## -# -# awstats cgi script policy -# - -allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; - -read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) -files_search_var_lib(httpd_awstats_script_t) diff --git a/policy/modules/apps/calamaris.fc b/policy/modules/apps/calamaris.fc deleted file mode 100644 index 9cbd0a063..000000000 --- a/policy/modules/apps/calamaris.fc +++ /dev/null @@ -1,10 +0,0 @@ -# -# /etc -# -/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0) - -# -# /var -# -/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0) -/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0) diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if deleted file mode 100644 index df183be28..000000000 --- a/policy/modules/apps/calamaris.if +++ /dev/null @@ -1,21 +0,0 @@ -## Squid log analysis - -####################################### -## -## Allow domain to read calamaris www files. -## -## -## -## Domain allowed access. -## -## -# -interface(`calamaris_read_www_files',` - gen_require(` - type calamaris_www_t; - ') - - allow $1 calamaris_www_t:dir list_dir_perms; - read_files_pattern($1, calamaris_www_t, calamaris_www_t) - read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t) -') diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te deleted file mode 100644 index b13fb66cd..000000000 --- a/policy/modules/apps/calamaris.te +++ /dev/null @@ -1,83 +0,0 @@ -policy_module(calamaris, 1.7.0) - -######################################## -# -# Declarations -# - -type calamaris_t; -type calamaris_exec_t; -init_system_domain(calamaris_t, calamaris_exec_t) - -type calamaris_www_t; -files_type(calamaris_www_t) - -type calamaris_log_t; -logging_log_file(calamaris_log_t) - -######################################## -# -# Local policy -# - -# for when squid has a different UID -allow calamaris_t self:capability dac_override; -allow calamaris_t self:process { fork signal_perms setsched }; -allow calamaris_t self:fifo_file rw_fifo_file_perms; -allow calamaris_t self:unix_stream_socket create_stream_socket_perms; -allow calamaris_t self:tcp_socket create_stream_socket_perms; -allow calamaris_t self:udp_socket create_socket_perms; - -manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) -manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t) - -manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t) -logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir }) - -kernel_read_all_sysctls(calamaris_t) -kernel_read_system_state(calamaris_t) - -corecmd_exec_bin(calamaris_t) - -corenet_all_recvfrom_unlabeled(calamaris_t) -corenet_all_recvfrom_netlabel(calamaris_t) -corenet_tcp_sendrecv_generic_if(calamaris_t) -corenet_udp_sendrecv_generic_if(calamaris_t) -corenet_tcp_sendrecv_generic_node(calamaris_t) -corenet_udp_sendrecv_generic_node(calamaris_t) -corenet_tcp_sendrecv_all_ports(calamaris_t) -corenet_udp_sendrecv_all_ports(calamaris_t) - -dev_read_urand(calamaris_t) - -files_search_pids(calamaris_t) -files_read_etc_files(calamaris_t) -files_read_usr_files(calamaris_t) -files_read_var_files(calamaris_t) -files_read_etc_runtime_files(calamaris_t) - -libs_read_lib_files(calamaris_t) - -auth_use_nsswitch(calamaris_t) - -logging_send_syslog_msg(calamaris_t) - -miscfiles_read_localization(calamaris_t) - -userdom_dontaudit_list_user_home_dirs(calamaris_t) - -optional_policy(` - apache_search_sys_content(calamaris_t) -') - -optional_policy(` - cron_system_entry(calamaris_t, calamaris_exec_t) -') - -optional_policy(` - mta_send_mail(calamaris_t) -') - -optional_policy(` - squid_read_log(calamaris_t) -') diff --git a/policy/modules/apps/cdrecord.fc b/policy/modules/apps/cdrecord.fc deleted file mode 100644 index 91697ccda..000000000 --- a/policy/modules/apps/cdrecord.fc +++ /dev/null @@ -1,6 +0,0 @@ -# -# /usr -# -/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0) diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if deleted file mode 100644 index 1582faff2..000000000 --- a/policy/modules/apps/cdrecord.if +++ /dev/null @@ -1,33 +0,0 @@ -## Policy for cdrecord - -######################################## -## -## Role access for cdrecord -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`cdrecord_role',` - gen_require(` - type cdrecord_t, cdrecord_exec_t; - ') - - role $1 types cdrecord_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) - - allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl }; - - # allow ps to show cdrecord and allow the user to kill it - ps_process_pattern($2, cdrecord_t) - allow $2 cdrecord_t:process signal; -') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te deleted file mode 100644 index 3aacb25f7..000000000 --- a/policy/modules/apps/cdrecord.te +++ /dev/null @@ -1,120 +0,0 @@ -policy_module(cdrecord, 2.4.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow cdrecord to read various content. -## nfs, samba, removable devices, user temp -## and untrusted content files -##

-## -gen_tunable(cdrecord_read_content, false) - -type cdrecord_t; -type cdrecord_exec_t; -typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t }; -typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t }; -application_domain(cdrecord_t, cdrecord_exec_t) -ubac_constrained(cdrecord_t) - -######################################## -# -# Local policy -# - -allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; -allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; -allow cdrecord_t self:unix_dgram_socket create_socket_perms; -allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; - -# growisofs uses mkisofs -corecmd_exec_bin(cdrecord_t) - -# allow searching for cdrom-drive -dev_list_all_dev_nodes(cdrecord_t) -dev_read_sysfs(cdrecord_t) - -domain_interactive_fd(cdrecord_t) -domain_use_interactive_fds(cdrecord_t) - -files_read_etc_files(cdrecord_t) - -term_use_controlling_term(cdrecord_t) -term_list_ptys(cdrecord_t) - -# allow cdrecord to write the CD -storage_raw_read_removable_device(cdrecord_t) -storage_raw_write_removable_device(cdrecord_t) -storage_write_scsi_generic(cdrecord_t) - -logging_send_syslog_msg(cdrecord_t) - -miscfiles_read_localization(cdrecord_t) - -# write to the user domain tty. -userdom_use_user_terminals(cdrecord_t) -userdom_read_user_home_content_files(cdrecord_t) - -# Handle nfs home dirs -tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) - files_list_home(cdrecord_t) - fs_read_nfs_files(cdrecord_t) - fs_read_nfs_symlinks(cdrecord_t) - -',` - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_auto_mountpoints(cdrecord_t) - fs_dontaudit_read_nfs_files(cdrecord_t) - fs_dontaudit_list_nfs(cdrecord_t) -') -# Handle samba home dirs -tunable_policy(`cdrecord_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) - files_list_home(cdrecord_t) - fs_read_cifs_files(cdrecord_t) - fs_read_cifs_symlinks(cdrecord_t) -',` - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_auto_mountpoints(cdrecord_t) - fs_dontaudit_read_cifs_files(cdrecord_t) - fs_dontaudit_list_cifs(cdrecord_t) -') - -# Handle removable media, /tmp, and /home -tunable_policy(`cdrecord_read_content',` - userdom_list_user_tmp(cdrecord_t) - userdom_read_user_tmp_files(cdrecord_t) - userdom_read_user_tmp_symlinks(cdrecord_t) - userdom_read_user_home_content_files(cdrecord_t) - userdom_read_user_home_content_symlinks(cdrecord_t) - - ifndef(`enable_mls',` - fs_search_removable(cdrecord_t) - fs_read_removable_files(cdrecord_t) - fs_read_removable_symlinks(cdrecord_t) - ') -',` - files_dontaudit_list_tmp(cdrecord_t) - files_dontaudit_list_home(cdrecord_t) - fs_dontaudit_list_removable(cdrecord_t) - fs_dontaudit_read_removable_files(cdrecord_t) - userdom_dontaudit_list_user_tmp(cdrecord_t) - userdom_dontaudit_read_user_tmp_files(cdrecord_t) - userdom_dontaudit_list_user_home_dirs(cdrecord_t) - userdom_dontaudit_read_user_home_content_files(cdrecord_t) -') - -tunable_policy(`use_nfs_home_dirs',` - files_search_mnt(cdrecord_t) - fs_read_nfs_files(cdrecord_t) - fs_read_nfs_symlinks(cdrecord_t) -') - -optional_policy(` - resmgr_stream_connect(cdrecord_t) -') diff --git a/policy/modules/apps/cpufreqselector.fc b/policy/modules/apps/cpufreqselector.fc deleted file mode 100644 index b187f0f71..000000000 --- a/policy/modules/apps/cpufreqselector.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if deleted file mode 100644 index 932fa5321..000000000 --- a/policy/modules/apps/cpufreqselector.if +++ /dev/null @@ -1,22 +0,0 @@ -## Command-line CPU frequency settings. - -######################################## -## -## Send and receive messages from -## cpufreq-selector over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`cpufreqselector_dbus_chat',` - gen_require(` - type cpufreqselector_t; - class dbus send_msg; - ') - - allow $1 cpufreqselector_t:dbus send_msg; - allow cpufreqselector_t $1:dbus send_msg; -') diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te deleted file mode 100644 index f77d58a44..000000000 --- a/policy/modules/apps/cpufreqselector.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(cpufreqselector, 1.3.0) - -######################################## -# -# Declarations -# - -type cpufreqselector_t; -type cpufreqselector_exec_t; -application_domain(cpufreqselector_t, cpufreqselector_exec_t) - -######################################## -# -# cpufreq-selector local policy -# - -allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -allow cpufreqselector_t self:process getsched; -allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(cpufreqselector_t) - -files_read_etc_files(cpufreqselector_t) -files_read_usr_files(cpufreqselector_t) - -corecmd_search_bin(cpufreqselector_t) - -dev_rw_sysfs(cpufreqselector_t) - -miscfiles_read_localization(cpufreqselector_t) - -userdom_read_all_users_state(cpufreqselector_t) -userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) - -optional_policy(` - dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) - - optional_policy(` - consolekit_dbus_chat(cpufreqselector_t) - ') - - optional_policy(` - policykit_dbus_chat(cpufreqselector_t) - ') -') - -optional_policy(` - nscd_dontaudit_search_pid(cpufreqselector_t) -') - -optional_policy(` - policykit_domtrans_auth(cpufreqselector_t) - policykit_read_lib(cpufreqselector_t) - policykit_read_reload(cpufreqselector_t) -') diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc deleted file mode 100644 index c01127776..000000000 --- a/policy/modules/apps/evolution.fc +++ /dev/null @@ -1,21 +0,0 @@ -# -# HOME_DIR/ -# - -HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) -HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) - -# -# /tmp -# -/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) - -# -# /usr -# -/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) - -/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) -/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) -/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) -/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if deleted file mode 100644 index 1cb204c9e..000000000 --- a/policy/modules/apps/evolution.if +++ /dev/null @@ -1,153 +0,0 @@ -## Evolution email client - -######################################## -## -## Role access for evolution -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`evolution_role',` - gen_require(` - type evolution_t, evolution_exec_t, evolution_home_t; - type evolution_alarm_t, evolution_alarm_exec_t; - type evolution_exchange_t, evolution_exchange_exec_t; - type evolution_exchange_orbit_tmp_t; - type evolution_server_t, evolution_server_exec_t; - type evolution_webcal_t, evolution_webcal_exec_t; - ') - - role $1 types { evolution_t evolution_alarm_t evolution_exchange_t }; - role $1 types { evolution_server_t evolution_webcal_t }; - - domtrans_pattern($2, evolution_exec_t, evolution_t) - domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) - domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) - domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) - domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) - - ps_process_pattern($2, evolution_t) - ps_process_pattern($2, evolution_alarm_t) - ps_process_pattern($2, evolution_exchange_t) - ps_process_pattern($2, evolution_server_t) - ps_process_pattern($2, evolution_webcal_t) - - allow evolution_t $2:dir search; - allow evolution_t $2:file read; - allow evolution_t $2:lnk_file read; - allow evolution_t $2:unix_stream_socket connectto; - - allow $2 evolution_t:unix_stream_socket connectto; - allow $2 evolution_t:process noatsecure; - allow $2 evolution_t:process signal_perms; - - # Access .evolution - allow $2 evolution_home_t:dir manage_dir_perms; - allow $2 evolution_home_t:file manage_file_perms; - allow $2 evolution_home_t:lnk_file manage_lnk_file_perms; - allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - - allow evolution_exchange_t $2:unix_stream_socket connectto; - - # Clock applet talks to exchange (FIXME: Needs policy) - allow $2 evolution_exchange_t:unix_stream_socket connectto; - allow $2 evolution_exchange_orbit_tmp_t:sock_file write; -') - -######################################## -## -## Create objects in users evolution home folders. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`evolution_home_filetrans',` - gen_require(` - type evolution_home_t; - ') - - allow $1 evolution_home_t:dir rw_dir_perms; - type_transition $1 evolution_home_t:$3 $2; -') - -######################################## -## -## Connect to evolution unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_stream_connect',` - gen_require(` - type evolution_t, evolution_home_t; - ') - - allow $1 evolution_t:unix_stream_socket connectto; - allow $1 evolution_home_t:dir search; -') - -######################################## -## -## Send and receive messages from -## evolution over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_dbus_chat',` - gen_require(` - type evolution_t; - class dbus send_msg; - ') - - allow $1 evolution_t:dbus send_msg; - allow evolution_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## evolution_alarm over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`evolution_alarm_dbus_chat',` - gen_require(` - type evolution_alarm_t; - class dbus send_msg; - ') - - allow $1 evolution_alarm_t:dbus send_msg; - allow evolution_alarm_t $1:dbus send_msg; -') diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te deleted file mode 100644 index cd7095807..000000000 --- a/policy/modules/apps/evolution.te +++ /dev/null @@ -1,618 +0,0 @@ -policy_module(evolution, 2.2.0) - -######################################## -# -# Declarations -# - -type evolution_t; -type evolution_exec_t; -typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; -typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; -application_domain(evolution_t, evolution_exec_t) -ubac_constrained(evolution_t) - -type evolution_alarm_t; -type evolution_alarm_exec_t; -typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; -typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; -application_domain(evolution_alarm_t, evolution_alarm_exec_t) -ubac_constrained(evolution_alarm_t) - -type evolution_alarm_tmpfs_t; -typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; -typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t }; -files_tmpfs_file(evolution_alarm_tmpfs_t) -ubac_constrained(evolution_alarm_tmpfs_t) - -type evolution_alarm_orbit_tmp_t; -typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t }; -typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t }; -files_tmp_file(evolution_alarm_orbit_tmp_t) -ubac_constrained(evolution_alarm_orbit_tmp_t) - -type evolution_exchange_t; -type evolution_exchange_exec_t; -typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; -typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; -application_domain(evolution_exchange_t, evolution_exchange_exec_t) -ubac_constrained(evolution_exchange_t) - -type evolution_exchange_tmpfs_t; -typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; -typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t }; -files_tmpfs_file(evolution_exchange_tmpfs_t) -ubac_constrained(evolution_exchange_tmpfs_t) - -type evolution_exchange_tmp_t; -typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t }; -typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t }; -files_tmp_file(evolution_exchange_tmp_t) -ubac_constrained(evolution_exchange_tmp_t) - -type evolution_exchange_orbit_tmp_t; -typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t }; -typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t }; -files_tmp_file(evolution_exchange_orbit_tmp_t) -ubac_constrained(evolution_exchange_orbit_tmp_t) - -type evolution_home_t; -typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t }; -typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t }; -userdom_user_home_content(evolution_home_t) - -type evolution_orbit_tmp_t; -typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t }; -typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t }; -files_tmp_file(evolution_orbit_tmp_t) -ubac_constrained(evolution_orbit_tmp_t) - -type evolution_server_t; -type evolution_server_exec_t; -typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; -typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; -application_domain(evolution_server_t, evolution_server_exec_t) -ubac_constrained(evolution_server_t) - -type evolution_server_orbit_tmp_t; -typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; -typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t }; -files_tmp_file(evolution_server_orbit_tmp_t) -ubac_constrained(evolution_server_orbit_tmp_t) - -type evolution_tmpfs_t; -typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t }; -typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t }; -files_tmpfs_file(evolution_tmpfs_t) -ubac_constrained(evolution_tmpfs_t) - -type evolution_webcal_t; -type evolution_webcal_exec_t; -typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; -typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; -application_domain(evolution_webcal_t, evolution_webcal_exec_t) -ubac_constrained(evolution_webcal_t) - -type evolution_webcal_tmpfs_t; -typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; -typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t }; -files_tmpfs_file(evolution_webcal_tmpfs_t) -ubac_constrained(evolution_webcal_tmpfs_t) - -######################################## -# -# Evolution local policy -# - -allow evolution_t self:capability { setuid setgid sys_nice }; -allow evolution_t self:process { signal getsched setsched }; -allow evolution_t self:fifo_file rw_file_perms; -allow evolution_t self:tcp_socket create_socket_perms; -allow evolution_t self:udp_socket create_socket_perms; - -allow evolution_t evolution_alarm_t:dir search_dir_perms; -allow evolution_t evolution_alarm_t:file read; - -allow evolution_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write; - -can_exec(evolution_t, evolution_alarm_exec_t) - -allow evolution_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write; - -allow evolution_t evolution_home_t:dir manage_dir_perms; -allow evolution_t evolution_home_t:file manage_file_perms; -allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; -userdom_search_user_home_dirs(evolution_t) - -allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; -allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) - -allow evolution_t evolution_server_t:dir search_dir_perms; -allow evolution_t evolution_server_t:file read; - -allow evolution_t evolution_server_t:unix_stream_socket connectto; -allow evolution_t evolution_server_orbit_tmp_t:sock_file write; - -can_exec(evolution_t, evolution_server_exec_t) - -allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; -allow evolution_t evolution_tmpfs_t:file manage_file_perms; -allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -#FIXME check to see if really needed -kernel_read_kernel_sysctls(evolution_t) -kernel_read_system_state(evolution_t) -# Allow netstat -kernel_read_network_state(evolution_t) -kernel_read_net_sysctls(evolution_t) - -corecmd_exec_shell(evolution_t) -# Run various programs -corecmd_exec_bin(evolution_t) - -corenet_all_recvfrom_unlabeled(evolution_t) -corenet_all_recvfrom_netlabel(evolution_t) -corenet_tcp_sendrecv_generic_if(evolution_t) -corenet_udp_sendrecv_generic_if(evolution_t) -corenet_raw_sendrecv_generic_if(evolution_t) -corenet_tcp_sendrecv_generic_node(evolution_t) -corenet_udp_sendrecv_generic_node(evolution_t) -corenet_tcp_sendrecv_pop_port(evolution_t) -corenet_udp_sendrecv_pop_port(evolution_t) -corenet_tcp_sendrecv_smtp_port(evolution_t) -corenet_udp_sendrecv_smtp_port(evolution_t) -corenet_tcp_sendrecv_innd_port(evolution_t) -corenet_udp_sendrecv_innd_port(evolution_t) -corenet_tcp_sendrecv_ldap_port(evolution_t) -corenet_udp_sendrecv_ldap_port(evolution_t) -corenet_tcp_sendrecv_ipp_port(evolution_t) -corenet_udp_sendrecv_ipp_port(evolution_t) -corenet_tcp_connect_pop_port(evolution_t) -corenet_tcp_connect_smtp_port(evolution_t) -corenet_tcp_connect_innd_port(evolution_t) -corenet_tcp_connect_ldap_port(evolution_t) -corenet_tcp_connect_ipp_port(evolution_t) -corenet_sendrecv_pop_client_packets(evolution_t) -corenet_sendrecv_smtp_client_packets(evolution_t) -corenet_sendrecv_innd_client_packets(evolution_t) -corenet_sendrecv_ldap_client_packets(evolution_t) -corenet_sendrecv_ipp_client_packets(evolution_t) -# not sure about this bind -corenet_udp_bind_generic_node(evolution_t) -corenet_udp_bind_generic_port(evolution_t) - -dev_read_urand(evolution_t) - -domain_dontaudit_read_all_domains_state(evolution_t) - -files_read_etc_files(evolution_t) -files_read_usr_files(evolution_t) -files_read_usr_symlinks(evolution_t) -files_read_var_files(evolution_t) - -fs_search_auto_mountpoints(evolution_t) - -logging_send_syslog_msg(evolution_t) - -miscfiles_read_localization(evolution_t) - -sysnet_read_config(evolution_t) -sysnet_dns_name_resolve(evolution_t) - -udev_read_state(evolution_t) - -userdom_rw_user_tmp_files(evolution_t) -userdom_manage_user_tmp_dirs(evolution_t) -userdom_manage_user_tmp_sockets(evolution_t) -userdom_manage_user_tmp_files(evolution_t) -userdom_use_user_terminals(evolution_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_t) - -mta_read_config(evolution_t) - -xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t) -xserver_read_xdm_tmp_files(evolution_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(evolution_t) - fs_manage_nfs_files(evolution_t) - fs_manage_nfs_symlinks(evolution_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(evolution_t) - fs_manage_cifs_files(evolution_t) - fs_manage_cifs_symlinks(evolution_t) -') - -tunable_policy(`mail_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(evolution_t) - files_list_home(evolution_t) - fs_read_nfs_files(evolution_t) - fs_read_nfs_symlinks(evolution_t) - -',` - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_auto_mountpoints(evolution_t) - fs_dontaudit_read_nfs_files(evolution_t) - fs_dontaudit_list_nfs(evolution_t) -') - -tunable_policy(`mail_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(evolution_t) - files_list_home(evolution_t) - fs_read_cifs_files(evolution_t) - fs_read_cifs_symlinks(evolution_t) -',` - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_auto_mountpoints(evolution_t) - fs_dontaudit_read_cifs_files(evolution_t) - fs_dontaudit_list_cifs(evolution_t) -') - -tunable_policy(`mail_read_content',` - userdom_list_user_tmp(evolution_t) - userdom_read_user_tmp_files(evolution_t) - userdom_read_user_tmp_symlinks(evolution_t) - userdom_read_user_home_content_files(evolution_t) - userdom_read_user_home_content_symlinks(evolution_t) - - ifndef(`enable_mls',` - fs_search_removable(evolution_t) - fs_read_removable_files(evolution_t) - fs_read_removable_symlinks(evolution_t) - ') -',` - files_dontaudit_list_tmp(evolution_t) - files_dontaudit_list_home(evolution_t) - fs_dontaudit_list_removable(evolution_t) - fs_dontaudit_read_removable_files(evolution_t) - userdom_dontaudit_list_user_tmp(evolution_t) - userdom_dontaudit_read_user_tmp_files(evolution_t) - userdom_dontaudit_list_user_home_dirs(evolution_t) - userdom_dontaudit_read_user_home_content_files(evolution_t) -') - -optional_policy(` - automount_read_state(evolution_t) -') - -# Allow printing the mail -optional_policy(` - cups_read_rw_config(evolution_t) -') - -optional_policy(` - dbus_system_bus_client(evolution_t) - dbus_session_bus_client(evolution_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_t) -') - -# Encrypt mail -optional_policy(` - gpg_domtrans(evolution_t) - gpg_signal(evolution_t) -') - -optional_policy(` - lpd_domtrans_lpr(evolution_t) -') - -optional_policy(` - mozilla_read_user_home_files(evolution_t) - mozilla_domtrans(evolution_t) -') - -# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) -optional_policy(` - nis_use_ypbind(evolution_t) -') - -optional_policy(` - nscd_socket_use(evolution_t) -') - -### Junk mail filtering (start spamd) -optional_policy(` - spamassassin_exec_spamd(evolution_t) - spamassassin_domtrans_client(evolution_t) - spamassassin_domtrans_local_client(evolution_t) - # Allow evolution to signal the daemon - # FIXME: Now evolution can read spamd temp files - spamassassin_read_spamd_tmp_files(evolution_t) - spamassassin_signal_spamd(evolution_t) - spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) -') - -######################################## -# -# Evolution alarm local policy -# - -allow evolution_alarm_t self:process { signal getsched }; -allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; - -allow evolution_alarm_t evolution_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; -allow evolution_alarm_t evolution_home_t:file manage_file_perms; -allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto; -allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; - -dev_read_urand(evolution_alarm_t) - -files_read_etc_files(evolution_alarm_t) -files_read_usr_files(evolution_alarm_t) - -fs_search_auto_mountpoints(evolution_alarm_t) - -miscfiles_read_localization(evolution_alarm_t) - -# Access evolution home -userdom_search_user_home_dirs(evolution_alarm_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) - -xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_alarm_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_alarm_t) -') - -optional_policy(` - dbus_session_bus_client(evolution_alarm_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_alarm_t) -') - -optional_policy(` - nscd_socket_use(evolution_alarm_t) -') - -######################################## -# -# Evolution exchange connector local policy -# - -allow evolution_exchange_t self:process getsched; -allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; - -allow evolution_exchange_t self:tcp_socket create_socket_perms; -allow evolution_exchange_t self:udp_socket create_socket_perms; - -allow evolution_exchange_t evolution_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_home_t:file manage_file_perms; -allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto; -allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write; - -# /tmp/.exchange-$USER -allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; -allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; -files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) - -allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_network_state(evolution_exchange_t) -kernel_read_net_sysctls(evolution_exchange_t) - -# Allow netstat -corecmd_exec_bin(evolution_exchange_t) - -dev_read_urand(evolution_exchange_t) - -files_read_etc_files(evolution_exchange_t) -files_read_usr_files(evolution_exchange_t) - -# Access evolution home -fs_search_auto_mountpoints(evolution_exchange_t) - -miscfiles_read_localization(evolution_exchange_t) - -userdom_write_user_tmp_sockets(evolution_exchange_t) -# Access evolution home -userdom_search_user_home_dirs(evolution_exchange_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) - -xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_exchange_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_exchange_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_exchange_t) -') - -optional_policy(` - nscd_socket_use(evolution_exchange_t) -') - -######################################## -# -# Evolution data server local policy -# - -allow evolution_server_t self:process { getsched signal }; - -allow evolution_server_t self:fifo_file { read write }; -allow evolution_server_t self:unix_stream_socket { accept connectto }; -# Talk to ldap (address book), -# Obtain weather data via http (read server name from xml file in /usr) -allow evolution_server_t self:tcp_socket create_socket_perms; - -allow evolution_server_t evolution_t:unix_stream_socket connectto; -allow evolution_server_t evolution_orbit_tmp_t:sock_file write; - -allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto; -allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write; - -# Access evolution home -allow evolution_server_t evolution_home_t:dir manage_dir_perms; -allow evolution_server_t evolution_home_t:file manage_file_perms; -allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; - -allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto; -allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write; - -kernel_read_system_state(evolution_server_t) - -corecmd_exec_shell(evolution_server_t) - -# Obtain weather data via http (read server name from xml file in /usr) -corenet_all_recvfrom_unlabeled(evolution_server_t) -corenet_all_recvfrom_netlabel(evolution_server_t) -corenet_tcp_sendrecv_generic_if(evolution_server_t) -corenet_tcp_sendrecv_generic_node(evolution_server_t) -corenet_tcp_sendrecv_http_port(evolution_server_t) -corenet_tcp_sendrecv_http_cache_port(evolution_server_t) -corenet_tcp_connect_http_cache_port(evolution_server_t) -corenet_tcp_connect_http_port(evolution_server_t) -corenet_sendrecv_http_client_packets(evolution_server_t) -corenet_sendrecv_http_cache_client_packets(evolution_server_t) - -dev_read_urand(evolution_server_t) - -files_read_etc_files(evolution_server_t) -# Obtain weather data via http (read server name from xml file in /usr) -files_read_usr_files(evolution_server_t) - -fs_search_auto_mountpoints(evolution_server_t) - -miscfiles_read_localization(evolution_server_t) -# Look in /etc/pki -miscfiles_read_generic_certs(evolution_server_t) - -# Talk to ldap (address book) -sysnet_read_config(evolution_server_t) -sysnet_dns_name_resolve(evolution_server_t) -sysnet_use_ldap(evolution_server_t) - -# Access evolution home -userdom_search_user_home_dirs(evolution_server_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_server_t) - -# Access evolution home -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(evolution_server_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(evolution_server_t) -') - -optional_policy(` - gnome_stream_connect_gconf(evolution_server_t) -') - -optional_policy(` - nscd_socket_use(evolution_server_t) -') - -######################################## -# -# Evolution webcal local policy -# - -allow evolution_webcal_t self:tcp_socket create_socket_perms; - -# X/evolution common stuff -allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; -allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; -fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -corenet_all_recvfrom_unlabeled(evolution_webcal_t) -corenet_all_recvfrom_netlabel(evolution_webcal_t) -corenet_tcp_sendrecv_generic_if(evolution_webcal_t) -corenet_raw_sendrecv_generic_if(evolution_webcal_t) -corenet_tcp_sendrecv_generic_node(evolution_webcal_t) -corenet_raw_sendrecv_generic_node(evolution_webcal_t) -corenet_tcp_sendrecv_http_port(evolution_webcal_t) -corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) -corenet_tcp_connect_http_cache_port(evolution_webcal_t) -corenet_tcp_connect_http_port(evolution_webcal_t) -corenet_sendrecv_http_client_packets(evolution_webcal_t) -corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) - -# Networking capability - connect to website and handle ics link -sysnet_read_config(evolution_webcal_t) -sysnet_dns_name_resolve(evolution_webcal_t) - -# Search home directory (?) -userdom_search_user_home_dirs(evolution_webcal_t) -# FIXME: suppress access to .local/.icons/.themes until properly implemented -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) - -xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) - -optional_policy(` - nscd_socket_use(evolution_webcal_t) -') diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc deleted file mode 100644 index 78dc515e8..000000000 --- a/policy/modules/apps/games.fc +++ /dev/null @@ -1,66 +0,0 @@ -# -# /usr -# -/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) -/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) - -# -# /var -# -/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) -/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) - -ifndef(`distro_debian',` -/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) -')dnl end non-Debian section diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if deleted file mode 100644 index 7ac736d3a..000000000 --- a/policy/modules/apps/games.if +++ /dev/null @@ -1,51 +0,0 @@ -## Games - -############################################################ -## -## Role access for games -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`games_role',` - gen_require(` - type games_t, games_exec_t; - ') - - role $1 types games_t; - - domtrans_pattern($2, games_exec_t, games_t) - allow $2 games_t:unix_stream_socket connectto; - allow games_t $2:unix_stream_socket connectto; - - # Allow the user domain to signal/ps. - ps_process_pattern($2, games_t) - allow $2 games_t:process signal_perms; -') - -######################################## -## -## Allow the specified domain to read/write -## games data. -## -## -## -## Domain allowed access. -## -## -# -interface(`games_rw_data',` - gen_require(` - type games_data_t; - ') - - rw_files_pattern($1, games_data_t, games_data_t) -') diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te deleted file mode 100644 index ac4f5098e..000000000 --- a/policy/modules/apps/games.te +++ /dev/null @@ -1,181 +0,0 @@ -policy_module(games, 2.1.0) - -######################################## -# -# Declarations -# - -type games_t; -type games_exec_t; -typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; -typealias games_t alias { auditadm_games_t secadm_games_t }; -application_domain(games_t, games_exec_t) -ubac_constrained(games_t) - -type games_data_t; -typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; -typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; -files_type(games_data_t) -ubac_constrained(games_data_t) - -type games_devpts_t; -typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t }; -typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }; -term_pty(games_devpts_t) -ubac_constrained(games_devpts_t) - -# games_srv_t is for system operation of games, generic games daemons and -# games recovery scripts -type games_srv_t; -init_system_domain(games_srv_t, games_exec_t) - -type games_srv_var_run_t; -files_pid_file(games_srv_var_run_t) - -type games_tmp_t; -typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; -typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t }; -files_tmp_file(games_tmp_t) -ubac_constrained(games_tmp_t) - -type games_tmpfs_t; -typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t }; -typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; -files_tmpfs_file(games_tmpfs_t) -ubac_constrained(games_tmpfs_t) - -######################################## -# -# Server local policy -# - -dontaudit games_srv_t self:capability sys_tty_config; -allow games_srv_t self:process signal_perms; - -manage_files_pattern(games_srv_t, games_data_t, games_data_t) -manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t) - -manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t) -files_pid_filetrans(games_srv_t, games_srv_var_run_t, file) - -can_exec(games_srv_t, games_exec_t) - -kernel_read_kernel_sysctls(games_srv_t) -kernel_list_proc(games_srv_t) -kernel_read_proc_symlinks(games_srv_t) - -dev_read_sysfs(games_srv_t) - -fs_getattr_all_fs(games_srv_t) -fs_search_auto_mountpoints(games_srv_t) - -term_dontaudit_use_console(games_srv_t) - -domain_use_interactive_fds(games_srv_t) - -init_use_fds(games_srv_t) -init_use_script_ptys(games_srv_t) - -logging_send_syslog_msg(games_srv_t) - -miscfiles_read_localization(games_srv_t) - -userdom_dontaudit_use_unpriv_user_fds(games_srv_t) - -userdom_dontaudit_search_user_home_dirs(games_srv_t) - -optional_policy(` - seutil_sigchld_newrole(games_srv_t) -') - -optional_policy(` - udev_read_db(games_srv_t) -') - -######################################## -# -# Local policy -# - -allow games_t self:sem create_sem_perms; -allow games_t self:tcp_socket create_stream_socket_perms; -allow games_t self:udp_socket create_socket_perms; - -manage_files_pattern(games_t, games_data_t, games_data_t) -manage_lnk_files_pattern(games_t, games_data_t, games_data_t) - -allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(games_t, games_devpts_t) - -manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) -manage_files_pattern(games_t, games_tmp_t, games_tmp_t) -files_tmp_filetrans(games_t, games_tmp_t, { file dir }) - -manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) -fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(games_t, games_exec_t) - -kernel_read_system_state(games_t) - -corecmd_exec_bin(games_t) - -corenet_all_recvfrom_unlabeled(games_t) -corenet_all_recvfrom_netlabel(games_t) -corenet_tcp_sendrecv_generic_if(games_t) -corenet_udp_sendrecv_generic_if(games_t) -corenet_tcp_sendrecv_generic_node(games_t) -corenet_udp_sendrecv_generic_node(games_t) -corenet_tcp_sendrecv_all_ports(games_t) -corenet_udp_sendrecv_all_ports(games_t) -corenet_tcp_bind_generic_node(games_t) -corenet_tcp_bind_generic_port(games_t) -corenet_tcp_connect_generic_port(games_t) -corenet_sendrecv_generic_client_packets(games_t) -corenet_sendrecv_generic_server_packets(games_t) - -dev_read_sound(games_t) -dev_write_sound(games_t) -dev_read_input(games_t) -dev_read_mouse(games_t) -dev_read_urand(games_t) - -files_list_var(games_t) -files_search_var_lib(games_t) -files_dontaudit_search_var(games_t) -files_read_etc_files(games_t) -files_read_usr_files(games_t) -files_read_var_files(games_t) - -init_dontaudit_rw_utmp(games_t) - -logging_dontaudit_search_logs(games_t) - -miscfiles_read_man_pages(games_t) -miscfiles_read_localization(games_t) - -sysnet_read_config(games_t) - -userdom_manage_user_tmp_dirs(games_t) -userdom_manage_user_tmp_files(games_t) -userdom_manage_user_tmp_symlinks(games_t) -userdom_manage_user_tmp_sockets(games_t) -# Suppress .icons denial until properly implemented -userdom_dontaudit_read_user_home_content_files(games_t) - -tunable_policy(`allow_execmem',` - allow games_t self:process execmem; -') - -optional_policy(` - nscd_socket_use(games_t) -') - -optional_policy(` - xserver_user_x_domain_template(games, games_t, games_tmpfs_t) - xserver_create_xdm_tmp_sockets(games_t) - xserver_read_xdm_lib_files(games_t) -') diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc deleted file mode 100644 index df7ced4bc..000000000 --- a/policy/modules/apps/gift.fc +++ /dev/null @@ -1,6 +0,0 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) - -/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) -/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if deleted file mode 100644 index c9b90d3a5..000000000 --- a/policy/modules/apps/gift.if +++ /dev/null @@ -1,42 +0,0 @@ -## giFT peer to peer file sharing tool - -############################################################ -## -## Role access for gift -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`gift_role',` - gen_require(` - type gift_t, gift_exec_t; - type giftd_t, giftd_exec_t; - type gift_home_t; - ') - - role $1 types { gift_t giftd_t }; - - # transition from user domain - domtrans_pattern($2, gift_exec_t, gift_t) - domtrans_pattern($2, giftd_exec_t, giftd_t) - - # user managed content - manage_dirs_pattern($2, gift_home_t, gift_home_t) - manage_files_pattern($2, gift_home_t, gift_home_t) - manage_lnk_files_pattern($2, gift_home_t, gift_home_t) - relabel_dirs_pattern($2, gift_home_t, gift_home_t) - relabel_files_pattern($2, gift_home_t, gift_home_t) - relabel_lnk_files_pattern($2, gift_home_t, gift_home_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, { gift_t giftd_t }) - allow $2 { gift_t giftd_t }:process signal_perms; -') diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te deleted file mode 100644 index 6e4add56d..000000000 --- a/policy/modules/apps/gift.te +++ /dev/null @@ -1,147 +0,0 @@ -policy_module(gift, 2.2.0) - -######################################## -# -# Declarations -# - -type gift_t; -type gift_exec_t; -typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; -typealias gift_t alias { auditadm_gift_t secadm_gift_t }; -application_domain(gift_t, gift_exec_t) -ubac_constrained(gift_t) - -type gift_home_t; -typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; -typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; -userdom_user_home_content(gift_home_t) - -type gift_tmpfs_t; -typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t }; -typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t }; -files_tmpfs_file(gift_tmpfs_t) -ubac_constrained(gift_tmpfs_t) - -type giftd_t; -type giftd_exec_t; -typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; -typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; -application_domain(giftd_t, giftd_exec_t) -ubac_constrained(giftd_t) - -############################## -# -# giFT user interface local policy -# - -allow gift_t self:tcp_socket create_socket_perms; - -manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t) -fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(gift_t, gift_home_t, gift_home_t) -manage_files_pattern(gift_t, gift_home_t, gift_home_t) -manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) -userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) - -# Launch gift daemon -domtrans_pattern(gift_t, giftd_exec_t, giftd_t) - -# Read /proc/meminfo -kernel_read_system_state(gift_t) - -# Connect to gift daemon -corenet_all_recvfrom_unlabeled(gift_t) -corenet_all_recvfrom_netlabel(gift_t) -corenet_tcp_sendrecv_generic_if(gift_t) -corenet_tcp_sendrecv_generic_node(gift_t) -corenet_tcp_sendrecv_giftd_port(gift_t) -corenet_tcp_connect_giftd_port(gift_t) -corenet_sendrecv_giftd_client_packets(gift_t) - -fs_search_auto_mountpoints(gift_t) - -sysnet_read_config(gift_t) - -# giftui looks in .icons, .themes. -userdom_dontaudit_read_user_home_content_files(gift_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gift_t) - fs_manage_nfs_files(gift_t) - fs_manage_nfs_symlinks(gift_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gift_t) - fs_manage_cifs_files(gift_t) - fs_manage_cifs_symlinks(gift_t) -') - -optional_policy(` - nscd_socket_use(gift_t) -') - -optional_policy(` - xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) -') - -############################## -# -# giFT server local policy -# - -allow giftd_t self:process { signal setsched }; -allow giftd_t self:unix_stream_socket create_socket_perms; -allow giftd_t self:tcp_socket create_stream_socket_perms; -allow giftd_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t) -manage_files_pattern(giftd_t, gift_home_t, gift_home_t) -manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t) -userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) - -kernel_read_system_state(giftd_t) -kernel_read_kernel_sysctls(giftd_t) - -# Serve content on various p2p networks. Ports can be random. -corenet_all_recvfrom_unlabeled(giftd_t) -corenet_all_recvfrom_netlabel(giftd_t) -corenet_tcp_sendrecv_generic_if(giftd_t) -corenet_udp_sendrecv_generic_if(giftd_t) -corenet_tcp_sendrecv_generic_node(giftd_t) -corenet_udp_sendrecv_generic_node(giftd_t) -corenet_tcp_sendrecv_all_ports(giftd_t) -corenet_udp_sendrecv_all_ports(giftd_t) -corenet_tcp_bind_generic_node(giftd_t) -corenet_udp_bind_generic_node(giftd_t) -corenet_tcp_bind_all_ports(giftd_t) -corenet_udp_bind_all_ports(giftd_t) -corenet_tcp_connect_all_ports(giftd_t) -corenet_sendrecv_all_client_packets(giftd_t) - -files_read_usr_files(giftd_t) -# Read /etc/mtab -files_read_etc_runtime_files(giftd_t) - -miscfiles_read_localization(giftd_t) - -sysnet_read_config(giftd_t) - -userdom_use_user_terminals(giftd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(giftd_t) - fs_manage_nfs_files(giftd_t) - fs_manage_nfs_symlinks(giftd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(giftd_t) - fs_manage_cifs_files(giftd_t) - fs_manage_cifs_symlinks(giftd_t) -') diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc deleted file mode 100644 index 7e90e453d..000000000 --- a/policy/modules/apps/gitosis.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) -/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) - -/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) -/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff --git a/policy/modules/apps/gitosis.if b/policy/modules/apps/gitosis.if deleted file mode 100644 index e898b9114..000000000 --- a/policy/modules/apps/gitosis.if +++ /dev/null @@ -1,86 +0,0 @@ -## Tools for managing and hosting git repositories. - -####################################### -## -## Execute a domain transition to run gitosis. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gitosis_domtrans',` - gen_require(` - type gitosis_t, gitosis_exec_t; - ') - - domtrans_pattern($1, gitosis_exec_t, gitosis_t) -') - -####################################### -## -## Execute gitosis-serve in the gitosis domain, and -## allow the specified role the gitosis domain. -## -## -## -## Domain allowed access -## -## -## -## -## Role allowed access. -## -## -# -interface(`gitosis_run',` - gen_require(` - type gitosis_t; - ') - - gitosis_domtrans($1) - role $2 types gitosis_t; -') - -####################################### -## -## Allow the specified domain to read -## gitosis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gitosis_read_lib_files',` - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) -') - -###################################### -## -## Allow the specified domain to manage -## gitosis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gitosis_manage_lib_files',` - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) -') diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te deleted file mode 100644 index 4a2e63b36..000000000 --- a/policy/modules/apps/gitosis.te +++ /dev/null @@ -1,41 +0,0 @@ -policy_module(gitosis, 1.2.0) - -######################################## -# -# Declarations -# - -type gitosis_t; -type gitosis_exec_t; -application_domain(gitosis_t, gitosis_exec_t) -role system_r types gitosis_t; - -type gitosis_var_lib_t; -files_type(gitosis_var_lib_t) - -######################################## -# -# gitosis local policy -# - -allow gitosis_t self:fifo_file rw_fifo_file_perms; - -exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) -manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t) - -kernel_read_system_state(gitosis_t) - -corecmd_exec_bin(gitosis_t) -corecmd_exec_shell(gitosis_t) - -dev_read_urand(gitosis_t) - -files_read_etc_files(gitosis_t) -files_read_usr_files(gitosis_t) -files_search_var_lib(gitosis_t) - -miscfiles_read_localization(gitosis_t) - -sysnet_read_config(gitosis_t) diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc deleted file mode 100644 index 00a19e3c4..000000000 --- a/policy/modules/apps/gnome.fc +++ /dev/null @@ -1,9 +0,0 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) - -/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) - -/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) - -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if deleted file mode 100644 index f5afe78db..000000000 --- a/policy/modules/apps/gnome.if +++ /dev/null @@ -1,190 +0,0 @@ -## GNU network object model environment (GNOME) - -############################################################ -## -## Role access for gnome -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`gnome_role',` - gen_require(` - type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; - ') - - role $1 types gconfd_t; - - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; - allow gconfd_t $2:unix_stream_socket connectto; - - ps_process_pattern($2, gconfd_t) - - #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 gconfd_t:unix_stream_socket connectto; -') - -######################################## -## -## Execute gconf programs in -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_exec_gconf',` - gen_require(` - type gconfd_exec_t; - ') - - can_exec($1, gconfd_exec_t) -') - -######################################## -## -## Read gconf config files. -## -## -## -## Domain allowed access. -## -## -# -template(`gnome_read_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) -') - -####################################### -## -## Create, read, write, and delete gconf config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_gconf_config',` - gen_require(` - type gconf_etc_t; - ') - - manage_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) -') - -######################################## -## -## gconf connection template. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_stream_connect_gconf',` - gen_require(` - type gconfd_t, gconf_tmp_t; - ') - - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -') - -######################################## -## -## Run gconfd in gconfd domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_domtrans_gconfd',` - gen_require(` - type gconfd_t, gconfd_exec_t; - ') - - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -') - -######################################## -## -## Set attributes of Gnome config dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_setattr_config_dirs',` - gen_require(` - type gnome_home_t; - ') - - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - files_search_home($1) -') - -######################################## -## -## Read gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -template(`gnome_read_config',` - gen_require(` - type gnome_home_t; - ') - - list_dirs_pattern($1, gnome_home_t, gnome_home_t) - read_files_pattern($1, gnome_home_t, gnome_home_t) - read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) -') - -######################################## -## -## manage gnome homedir content (.config) -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_manage_config',` - gen_require(` - type gnome_home_t; - ') - - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; - userdom_search_user_home_dirs($1) -') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te deleted file mode 100644 index 2505654ad..000000000 --- a/policy/modules/apps/gnome.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(gnome, 2.1.0) - -############################## -# -# Declarations -# - -attribute gnomedomain; - -type gconf_etc_t; -files_config_file(gconf_etc_t) - -type gconf_home_t; -typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; -typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; -typealias gconf_home_t alias unconfined_gconf_home_t; -userdom_user_home_content(gconf_home_t) - -type gconf_tmp_t; -typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; -typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; -typealias gconf_tmp_t alias unconfined_gconf_tmp_t; -files_tmp_file(gconf_tmp_t) -ubac_constrained(gconf_tmp_t) - -type gconfd_t, gnomedomain; -type gconfd_exec_t; -typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; -typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; -application_domain(gconfd_t, gconfd_exec_t) -ubac_constrained(gconfd_t) - -type gnome_home_t; -typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; -typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; -typealias gnome_home_t alias unconfined_gnome_home_t; -userdom_user_home_content(gnome_home_t) - -############################## -# -# Local Policy -# - -allow gconfd_t self:process getsched; -allow gconfd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) -manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) -userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - -manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) - -dev_read_urand(gconfd_t) - -files_read_etc_files(gconfd_t) - -miscfiles_read_localization(gconfd_t) - -logging_send_syslog_msg(gconfd_t) - -userdom_manage_user_tmp_sockets(gconfd_t) -userdom_manage_user_tmp_dirs(gconfd_t) -userdom_tmp_filetrans_user_tmp(gconfd_t, dir) - -optional_policy(` - nscd_dontaudit_search_pid(gconfd_t) -') - -optional_policy(` - xserver_use_xdm_fds(gconfd_t) - xserver_rw_xdm_pipes(gconfd_t) -') diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc deleted file mode 100644 index e9853d418..000000000 --- a/policy/modules/apps/gpg.fc +++ /dev/null @@ -1,9 +0,0 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) - -/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) - -/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if deleted file mode 100644 index 6d50300c9..000000000 --- a/policy/modules/apps/gpg.if +++ /dev/null @@ -1,181 +0,0 @@ -## Policy for GNU Privacy Guard and related programs. - -############################################################ -## -## Role access for gpg -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`gpg_role',` - gen_require(` - type gpg_t, gpg_exec_t; - type gpg_agent_t, gpg_agent_exec_t; - type gpg_agent_tmp_t; - type gpg_helper_t, gpg_pinentry_t; - type gpg_pinentry_tmp_t; - ') - - role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; - - # transition from the userdomain to the derived domain - domtrans_pattern($2, gpg_exec_t, gpg_t) - - # allow ps to show gpg - ps_process_pattern($2, gpg_t) - allow $2 gpg_t:process { signull sigstop signal sigkill }; - - # communicate with the user - allow gpg_helper_t $2:fd use; - allow gpg_helper_t $2:fifo_file write; - - # allow ps to show gpg-agent - ps_process_pattern($2, gpg_agent_t) - - # Allow the user shell to signal the gpg-agent program. - allow $2 gpg_agent_t:process { signal sigkill }; - - manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - - # Transition from the user domain to the agent domain. - domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) - - manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - - optional_policy(` - gpg_pinentry_dbus_chat($2) - ') - - ifdef(`hide_broken_symptoms',` - #Leaked File Descriptors - dontaudit gpg_t $2:socket_class_set { getattr read write }; - dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; - dontaudit gpg_agent_t $2:socket_class_set { getattr read write }; - dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; - ') -') - -######################################## -## -## Transition to a user gpg domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gpg_domtrans',` - gen_require(` - type gpg_t, gpg_exec_t; - ') - - domtrans_pattern($1, gpg_exec_t, gpg_t) -') - -######################################## -## -## Execute the gpg application without transitioning -## -## -## -## Domain allowed to execute gpg -## -## -# -interface(`gpg_exec',` - gen_require(` - type gpg_exec_t; - ') - - can_exec($1, gpg_exec_t) -') - -######################################## -## -## Send generic signals to user gpg processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_signal',` - gen_require(` - type gpg_t; - ') - - allow $1 gpg_t:process signal; -') - -######################################## -## -## Read and write GPG agent pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_rw_agent_pipes',` - # Just wants read/write could this be a leak? - gen_require(` - type gpg_agent_t; - ') - - allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Send messages to and from GPG -## Pinentry over DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_pinentry_dbus_chat',` - gen_require(` - type gpg_pinentry_t; - class dbus send_msg; - ') - - allow $1 gpg_pinentry_t:dbus send_msg; - allow gpg_pinentry_t $1:dbus send_msg; -') - -######################################## -## -## List Gnu Privacy Guard user secrets. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpg_list_user_secrets',` - gen_require(` - type gpg_secret_t; - ') - - list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) - userdom_search_user_home_dirs($1) -') diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te deleted file mode 100644 index ebd6791c5..000000000 --- a/policy/modules/apps/gpg.te +++ /dev/null @@ -1,359 +0,0 @@ -policy_module(gpg, 2.4.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow usage of the gpg-agent --write-env-file option. -## This also allows gpg-agent to manage user files. -##

-## -gen_tunable(gpg_agent_env_file, false) - -type gpg_t; -type gpg_exec_t; -typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; -typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; -application_domain(gpg_t, gpg_exec_t) -ubac_constrained(gpg_t) -role system_r types gpg_t; - -type gpg_agent_t; -type gpg_agent_exec_t; -typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; -typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; -application_domain(gpg_agent_t, gpg_agent_exec_t) -ubac_constrained(gpg_agent_t) - -type gpg_agent_tmp_t; -typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; -typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; -files_tmp_file(gpg_agent_tmp_t) -ubac_constrained(gpg_agent_tmp_t) - -type gpg_secret_t; -typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; -userdom_user_home_content(gpg_secret_t) - -type gpg_helper_t; -type gpg_helper_exec_t; -typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; -typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; -application_domain(gpg_helper_t, gpg_helper_exec_t) -ubac_constrained(gpg_helper_t) -role system_r types gpg_helper_t; - -type gpg_pinentry_t; -type pinentry_exec_t; -typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; -typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; -application_domain(gpg_pinentry_t, pinentry_exec_t) -ubac_constrained(gpg_pinentry_t) - -type gpg_pinentry_tmp_t; -files_tmp_file(gpg_pinentry_tmp_t) -ubac_constrained(gpg_pinentry_tmp_t) - -type gpg_pinentry_tmpfs_t; -files_tmpfs_file(gpg_pinentry_tmpfs_t) -ubac_constrained(gpg_pinentry_tmpfs_t) - -######################################## -# -# GPG local policy -# - -allow gpg_t self:capability { ipc_lock setuid }; -# setrlimit is for ulimit -c 0 -allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid }; - -allow gpg_t self:fifo_file rw_fifo_file_perms; -allow gpg_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) - -domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) - -# transition from the gpg domain to the helper domain -domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) - -allow gpg_t gpg_secret_t:dir create_dir_perms; -manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) - -kernel_read_sysctl(gpg_t) - -corecmd_exec_shell(gpg_t) -corecmd_exec_bin(gpg_t) - -corenet_all_recvfrom_unlabeled(gpg_t) -corenet_all_recvfrom_netlabel(gpg_t) -corenet_tcp_sendrecv_generic_if(gpg_t) -corenet_udp_sendrecv_generic_if(gpg_t) -corenet_tcp_sendrecv_generic_node(gpg_t) -corenet_udp_sendrecv_generic_node(gpg_t) -corenet_tcp_sendrecv_all_ports(gpg_t) -corenet_udp_sendrecv_all_ports(gpg_t) -corenet_tcp_connect_all_ports(gpg_t) -corenet_sendrecv_all_client_packets(gpg_t) - -dev_read_rand(gpg_t) -dev_read_urand(gpg_t) -dev_read_generic_usb_dev(gpg_t) - -fs_getattr_xattr_fs(gpg_t) -fs_list_inotifyfs(gpg_t) - -domain_use_interactive_fds(gpg_t) - -files_read_etc_files(gpg_t) -files_read_usr_files(gpg_t) -files_dontaudit_search_var(gpg_t) - -auth_use_nsswitch(gpg_t) - -logging_send_syslog_msg(gpg_t) - -miscfiles_read_localization(gpg_t) - -userdom_use_user_terminals(gpg_t) -# sign/encrypt user files -userdom_manage_user_tmp_files(gpg_t) -userdom_manage_user_home_content_files(gpg_t) -userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) - -mta_write_config(gpg_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_t) - fs_manage_nfs_files(gpg_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_t) - fs_manage_cifs_files(gpg_t) -') - -optional_policy(` - mozilla_read_user_home_files(gpg_t) - mozilla_write_user_home_files(gpg_t) -') - -optional_policy(` - xserver_use_xdm_fds(gpg_t) - xserver_rw_xdm_pipes(gpg_t) -') - -optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) -') - -######################################## -# -# GPG helper local policy -# - -allow gpg_helper_t self:process { getsched setsched }; - -# for helper programs (which automatically fetch keys) -# Note: this is only tested with the hkp interface. If you use eg the -# mail interface you will likely need additional permissions. - -allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; -allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; - -dontaudit gpg_helper_t gpg_secret_t:file read; - -corenet_all_recvfrom_unlabeled(gpg_helper_t) -corenet_all_recvfrom_netlabel(gpg_helper_t) -corenet_tcp_sendrecv_generic_if(gpg_helper_t) -corenet_raw_sendrecv_generic_if(gpg_helper_t) -corenet_udp_sendrecv_generic_if(gpg_helper_t) -corenet_tcp_sendrecv_generic_node(gpg_helper_t) -corenet_udp_sendrecv_generic_node(gpg_helper_t) -corenet_raw_sendrecv_generic_node(gpg_helper_t) -corenet_tcp_sendrecv_all_ports(gpg_helper_t) -corenet_udp_sendrecv_all_ports(gpg_helper_t) -corenet_tcp_bind_generic_node(gpg_helper_t) -corenet_udp_bind_generic_node(gpg_helper_t) -corenet_tcp_connect_all_ports(gpg_helper_t) - -files_read_etc_files(gpg_helper_t) - -auth_use_nsswitch(gpg_helper_t) - -userdom_use_user_terminals(gpg_helper_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files(gpg_helper_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files(gpg_helper_t) -') - -######################################## -# -# GPG agent local policy -# - -# rlimit: gpg-agent wants to prevent coredumps -allow gpg_agent_t self:process setrlimit; - -allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; -allow gpg_agent_t self:fifo_file rw_fifo_file_perms; - -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - -# Allow the gpg-agent to manage its tmp files (socket) -manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - -# allow gpg to connect to the gpg agent -stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) - -corecmd_read_bin_symlinks(gpg_agent_t) -corecmd_search_bin(gpg_agent_t) -corecmd_exec_shell(gpg_agent_t) - -dev_read_urand(gpg_agent_t) - -domain_use_interactive_fds(gpg_agent_t) - -fs_dontaudit_list_inotifyfs(gpg_agent_t) - -miscfiles_read_localization(gpg_agent_t) - -# Write to the user domain tty. -userdom_use_user_terminals(gpg_agent_t) -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -userdom_search_user_home_dirs(gpg_agent_t) - -ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_tmp_files(gpg_agent_t) -') - -tunable_policy(`gpg_agent_env_file',` - # write ~/.gpg-agent-info or a similar to the users home dir - # or subdir (gpg-agent --write-env-file option) - # - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) - userdom_manage_user_home_content_dirs(gpg_agent_t) - userdom_manage_user_home_content_files(gpg_agent_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_agent_t) - fs_manage_nfs_files(gpg_agent_t) - fs_manage_nfs_symlinks(gpg_agent_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_agent_t) - fs_manage_cifs_files(gpg_agent_t) - fs_manage_cifs_symlinks(gpg_agent_t) -') - -optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -') - -############################## -# -# Pinentry local policy -# - -allow gpg_pinentry_t self:process { getcap getsched setsched signal }; -allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; -allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; -allow gpg_pinentry_t self:shm create_shm_perms; -allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; -allow gpg_pinentry_t self:unix_dgram_socket sendto; -allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; - -can_exec(gpg_pinentry_t, pinentry_exec_t) - -# we need to allow gpg-agent to call pinentry so it can get the passphrase -# from the user. -domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) - -manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) -userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) - -manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) -manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) -fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) - -# read /proc/meminfo -kernel_read_system_state(gpg_pinentry_t) - -corecmd_exec_bin(gpg_pinentry_t) - -corenet_all_recvfrom_netlabel(gpg_pinentry_t) -corenet_all_recvfrom_unlabeled(gpg_pinentry_t) -corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) -corenet_tcp_bind_generic_node(gpg_pinentry_t) -corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) -corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) - -dev_read_urand(gpg_pinentry_t) -dev_read_rand(gpg_pinentry_t) - -files_read_usr_files(gpg_pinentry_t) -# read /etc/X11/qtrc -files_read_etc_files(gpg_pinentry_t) - -fs_dontaudit_list_inotifyfs(gpg_pinentry_t) -fs_getattr_tmpfs(gpg_pinentry_t) - -auth_use_nsswitch(gpg_pinentry_t) - -logging_send_syslog_msg(gpg_pinentry_t) - -miscfiles_read_fonts(gpg_pinentry_t) -miscfiles_read_localization(gpg_pinentry_t) - -# for .Xauthority -userdom_read_user_home_content_files(gpg_pinentry_t) -userdom_read_user_tmpfs_files(gpg_pinentry_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(gpg_pinentry_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(gpg_pinentry_t) -') - -optional_policy(` - dbus_session_bus_client(gpg_pinentry_t) - dbus_system_bus_client(gpg_pinentry_t) -') - -optional_policy(` - pulseaudio_exec(gpg_pinentry_t) - pulseaudio_rw_home_files(gpg_pinentry_t) - pulseaudio_setattr_home_dir(gpg_pinentry_t) - pulseaudio_stream_connect(gpg_pinentry_t) - pulseaudio_signull(gpg_pinentry_t) -') - -optional_policy(` - xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) -') diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc deleted file mode 100644 index 65ece18ff..000000000 --- a/policy/modules/apps/irc.fc +++ /dev/null @@ -1,11 +0,0 @@ -# -# /home -# -HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) - -# -# /usr -# -/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) -/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if deleted file mode 100644 index 4f9dc90f7..000000000 --- a/policy/modules/apps/irc.if +++ /dev/null @@ -1,31 +0,0 @@ -## IRC client policy - -######################################## -## -## Role access for IRC -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`irc_role',` - gen_require(` - type irc_t, irc_exec_t; - ') - - role $1 types irc_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, irc_exec_t, irc_t) - - # allow ps to show irc - ps_process_pattern($2, irc_t) - allow $2 irc_t:process signal; -') diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te deleted file mode 100644 index 66beb8060..000000000 --- a/policy/modules/apps/irc.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(irc, 2.1.0) - -######################################## -# -# Declarations -# - -type irc_t; -type irc_exec_t; -typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t }; -typealias irc_t alias { auditadm_irc_t secadm_irc_t }; -application_domain(irc_t, irc_exec_t) -ubac_constrained(irc_t) - -type irc_home_t; -typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t }; -typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; -userdom_user_home_content(irc_home_t) - -type irc_tmp_t; -typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; -typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; -userdom_user_home_content(irc_tmp_t) - -######################################## -# -# Local policy -# - -allow irc_t self:unix_stream_socket create_stream_socket_perms; -allow irc_t self:tcp_socket create_socket_perms; -allow irc_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) -manage_files_pattern(irc_t, irc_home_t, irc_home_t) -manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) -userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file }) - -# access files under /tmp -manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) - -kernel_read_proc_symlinks(irc_t) - -corenet_all_recvfrom_unlabeled(irc_t) -corenet_all_recvfrom_netlabel(irc_t) -corenet_tcp_sendrecv_generic_if(irc_t) -corenet_udp_sendrecv_generic_if(irc_t) -corenet_tcp_sendrecv_generic_node(irc_t) -corenet_udp_sendrecv_generic_node(irc_t) -corenet_tcp_sendrecv_all_ports(irc_t) -corenet_udp_sendrecv_all_ports(irc_t) -corenet_sendrecv_ircd_client_packets(irc_t) -# cjp: this seems excessive: -corenet_tcp_connect_all_ports(irc_t) -corenet_sendrecv_all_client_packets(irc_t) - -domain_use_interactive_fds(irc_t) - -files_dontaudit_search_pids(irc_t) -files_search_var(irc_t) -files_read_etc_files(irc_t) -files_read_usr_files(irc_t) - -fs_getattr_xattr_fs(irc_t) -fs_search_auto_mountpoints(irc_t) - -term_use_controlling_term(irc_t) -term_list_ptys(irc_t) - -# allow utmp access -init_read_utmp(irc_t) -init_dontaudit_lock_utmp(irc_t) - -miscfiles_read_localization(irc_t) - -# Inherit and use descriptors from newrole. -seutil_use_newrole_fds(irc_t) - -sysnet_read_config(irc_t) - -# Write to the user domain tty. -userdom_use_user_terminals(irc_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(irc_t) - fs_manage_nfs_files(irc_t) - fs_manage_nfs_symlinks(irc_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(irc_t) - fs_manage_cifs_files(irc_t) - fs_manage_cifs_symlinks(irc_t) -') - -optional_policy(` - nis_use_ypbind(irc_t) -') diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc deleted file mode 100644 index 86c176876..000000000 --- a/policy/modules/apps/java.fc +++ /dev/null @@ -1,38 +0,0 @@ -# -# /opt -# -/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -# -# /usr -# -/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -ifdef(`distro_redhat',` -/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) -') diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if deleted file mode 100644 index e6d84e86f..000000000 --- a/policy/modules/apps/java.if +++ /dev/null @@ -1,200 +0,0 @@ -## Java virtual machine - -######################################## -## -## Role access for java -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`java_role',` - gen_require(` - type java_t, java_exec_t; - ') - - role $1 types java_t; - - # The user role is authorized for this domain. - domtrans_pattern($2, java_exec_t, java_t) - allow java_t $2:process signull; - # Unrestricted inheritance from the caller. - allow $2 java_t:process { noatsecure siginh rlimitinh }; - - allow java_t $2:unix_stream_socket connectto; - allow java_t $2:unix_stream_socket { read write }; - allow java_t $2:tcp_socket { read write }; -') - -####################################### -## -## The role template for the java module. -## -## -##

-## This template creates a derived domains which are used -## for java applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`java_role_template',` - gen_require(` - type java_exec_t; - ') - - type $1_java_t; - domain_type($1_java_t) - domain_entry_file($1_java_t, java_exec_t) - role $2 types $1_java_t; - - domain_interactive_fd($1_java_t) - - userdom_manage_user_tmpfs_files($1_java_t) - - allow $1_java_t self:process { ptrace signal getsched execmem execstack }; - - dontaudit $1_java_t $3:tcp_socket { read write }; - - allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; - - domtrans_pattern($3, java_exec_t, $1_java_t) - - corecmd_bin_domtrans($1_java_t, $3) - - dev_dontaudit_append_rand($1_java_t) - - files_execmod_all_files($1_java_t) - - fs_dontaudit_rw_tmpfs_files($1_java_t) - - optional_policy(` - xserver_role($2, $1_java_t) - ') -') - -######################################## -## -## Run java in javaplugin domain. -## -## -## -## Domain allowed to transition. -## -## -# -template(`java_domtrans',` - gen_require(` - type java_t, java_exec_t; - ') - - domtrans_pattern($1, java_exec_t, java_t) -') - -######################################## -## -## Execute java in the java domain, and -## allow the specified role the java domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`java_run',` - gen_require(` - type java_t; - ') - - java_domtrans($1) - role $2 types java_t; -') - -######################################## -## -## Execute the java program in the unconfined java domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`java_domtrans_unconfined',` - gen_require(` - type unconfined_java_t, java_exec_t; - ') - - domtrans_pattern($1, java_exec_t, unconfined_java_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute the java program in the unconfined java domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`java_run_unconfined',` - gen_require(` - type unconfined_java_t; - ') - - java_domtrans_unconfined($1) - role $2 types unconfined_java_t; -') - -######################################## -## -## Execute the java program in the java domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`java_exec',` - gen_require(` - type java_exec_t; - ') - - can_exec($1, java_exec_t) -') diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te deleted file mode 100644 index 167950d77..000000000 --- a/policy/modules/apps/java.te +++ /dev/null @@ -1,156 +0,0 @@ -policy_module(java, 2.4.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow java executable stack -##

-## -gen_tunable(allow_java_execstack, false) - -type java_t; -type java_exec_t; -application_domain(java_t, java_exec_t) -ubac_constrained(java_t) -typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; -typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; -role system_r types java_t; - -type java_tmp_t; -files_tmp_file(java_tmp_t) -ubac_constrained(java_tmp_t) -typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t }; -typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t }; - -type java_tmpfs_t; -ubac_constrained(java_tmpfs_t) -files_tmpfs_file(java_tmpfs_t) -typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; -typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; - -type unconfined_java_t; -init_system_domain(unconfined_java_t, java_exec_t) - -######################################## -# -# Local policy -# - -allow java_t self:process { signal_perms getsched setsched execmem }; -allow java_t self:fifo_file rw_fifo_file_perms; -allow java_t self:tcp_socket create_socket_perms; -allow java_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t) -manage_files_pattern(java_t, java_tmp_t, java_tmp_t) -files_tmp_filetrans(java_t, java_tmp_t, { file dir }) - -manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t) -fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(java_t, java_exec_t) - -kernel_read_all_sysctls(java_t) -kernel_search_vm_sysctl(java_t) -kernel_read_network_state(java_t) -kernel_read_system_state(java_t) - -# Search bin directory under java for java executable -corecmd_search_bin(java_t) - -corenet_all_recvfrom_unlabeled(java_t) -corenet_all_recvfrom_netlabel(java_t) -corenet_tcp_sendrecv_generic_if(java_t) -corenet_udp_sendrecv_generic_if(java_t) -corenet_tcp_sendrecv_generic_node(java_t) -corenet_udp_sendrecv_generic_node(java_t) -corenet_tcp_sendrecv_all_ports(java_t) -corenet_udp_sendrecv_all_ports(java_t) -corenet_tcp_connect_all_ports(java_t) -corenet_sendrecv_all_client_packets(java_t) - -dev_read_sound(java_t) -dev_write_sound(java_t) -dev_read_urand(java_t) -dev_read_rand(java_t) -dev_dontaudit_append_rand(java_t) - -files_read_usr_files(java_t) -files_search_home(java_t) -files_search_var_lib(java_t) -files_read_etc_runtime_files(java_t) -# Read global fonts and font config -files_read_etc_files(java_t) - -fs_getattr_xattr_fs(java_t) -fs_dontaudit_rw_tmpfs_files(java_t) - -logging_send_syslog_msg(java_t) - -miscfiles_read_localization(java_t) -# Read global fonts and font config -miscfiles_read_fonts(java_t) - -sysnet_read_config(java_t) - -userdom_dontaudit_use_user_terminals(java_t) -userdom_dontaudit_setattr_user_home_content_files(java_t) -userdom_dontaudit_exec_user_home_content_files(java_t) -userdom_manage_user_home_content_dirs(java_t) -userdom_manage_user_home_content_files(java_t) -userdom_manage_user_home_content_symlinks(java_t) -userdom_manage_user_home_content_pipes(java_t) -userdom_manage_user_home_content_sockets(java_t) -userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file }) -userdom_write_user_tmp_sockets(java_t) - -tunable_policy(`allow_java_execstack',` - allow java_t self:process execstack; - - allow java_t java_tmp_t:file execute; - - libs_legacy_use_shared_libs(java_t) - libs_legacy_use_ld_so(java_t) - - miscfiles_legacy_read_localization(java_t) -') - -optional_policy(` - nis_use_ypbind(java_t) -') - -optional_policy(` - nscd_socket_use(java_t) -') - -optional_policy(` - xserver_user_x_domain_template(java, java_t, java_tmpfs_t) -') - -######################################## -# -# Unconfined java local policy -# - -optional_policy(` - # execheap is needed for itanium/BEA jrocket - allow unconfined_java_t self:process { execstack execmem execheap }; - - files_execmod_all_files(unconfined_java_t) - - init_dbus_chat_script(unconfined_java_t) - - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) - - optional_policy(` - rpm_domtrans(unconfined_java_t) - ') -') diff --git a/policy/modules/apps/kdumpgui.fc b/policy/modules/apps/kdumpgui.fc deleted file mode 100644 index 250679cd9..000000000 --- a/policy/modules/apps/kdumpgui.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/system-config-kdump/system-config-kdump-backend\.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --git a/policy/modules/apps/kdumpgui.if b/policy/modules/apps/kdumpgui.if deleted file mode 100644 index d6af9b084..000000000 --- a/policy/modules/apps/kdumpgui.if +++ /dev/null @@ -1,2 +0,0 @@ -## system-config-kdump GUI - diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te deleted file mode 100644 index 0c52f6070..000000000 --- a/policy/modules/apps/kdumpgui.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(kdumpgui, 1.1.0) - -######################################## -# -# Declarations -# - -type kdumpgui_t; -type kdumpgui_exec_t; -dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) - -###################################### -# -# system-config-kdump local policy -# - -allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; -allow kdumpgui_t self:fifo_file rw_fifo_file_perms; -allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; - -kernel_read_system_state(kdumpgui_t) -kernel_read_network_state(kdumpgui_t) - -corecmd_exec_bin(kdumpgui_t) -corecmd_exec_shell(kdumpgui_t) - -dev_dontaudit_getattr_all_chr_files(kdumpgui_t) -dev_read_sysfs(kdumpgui_t) - -files_manage_boot_files(kdumpgui_t) -files_manage_boot_symlinks(kdumpgui_t) -# Needed for running chkconfig -files_manage_etc_symlinks(kdumpgui_t) -# for blkid.tab -files_manage_etc_runtime_files(kdumpgui_t) -files_etc_filetrans_etc_runtime(kdumpgui_t, file) -files_read_usr_files(kdumpgui_t) - -storage_raw_read_fixed_disk(kdumpgui_t) -storage_raw_write_fixed_disk(kdumpgui_t) - -auth_use_nsswitch(kdumpgui_t) - -logging_send_syslog_msg(kdumpgui_t) - -miscfiles_read_localization(kdumpgui_t) - -init_dontaudit_read_all_script_files(kdumpgui_t) - -optional_policy(` - consoletype_exec(kdumpgui_t) -') - -optional_policy(` - dev_rw_lvm_control(kdumpgui_t) -') - -optional_policy(` - kdump_manage_config(kdumpgui_t) - kdump_initrc_domtrans(kdumpgui_t) -') - -optional_policy(` - policykit_dbus_chat(kdumpgui_t) -') diff --git a/policy/modules/apps/livecd.fc b/policy/modules/apps/livecd.fc deleted file mode 100644 index 34937fcfc..000000000 --- a/policy/modules/apps/livecd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if deleted file mode 100644 index b2e27ec06..000000000 --- a/policy/modules/apps/livecd.if +++ /dev/null @@ -1,104 +0,0 @@ -## Livecd tool for building alternate livecd for different os and policy versions. - -######################################## -## -## Execute a domain transition to run livecd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`livecd_domtrans',` - gen_require(` - type livecd_t, livecd_exec_t; - ') - - domtrans_pattern($1, livecd_exec_t, livecd_t) -') - -######################################## -## -## Execute livecd in the livecd domain, and -## allow the specified role the livecd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`livecd_run',` - gen_require(` - type livecd_t; - ') - - livecd_domtrans($1) - role $2 types livecd_t; - - optional_policy(` - mount_run(livecd_t, $2) - ') -') - -######################################## -## -## Read livecd temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`livecd_read_tmp_files',` - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) -') - -######################################## -## -## Read and write livecd temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`livecd_rw_tmp_files',` - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) -') - -######################################## -## -## Allow read and write access to livecd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`livecd_rw_semaphores',` - gen_require(` - type livecd_t; - ') - - allow $1 livecd_t:sem { unix_read unix_write associate read write }; -') diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te deleted file mode 100644 index e3c0aa0a5..000000000 --- a/policy/modules/apps/livecd.te +++ /dev/null @@ -1,35 +0,0 @@ -policy_module(livecd, 1.1.0) - -######################################## -# -# Declarations -# - -type livecd_t; -type livecd_exec_t; -application_domain(livecd_t, livecd_exec_t) -role system_r types livecd_t; - -type livecd_tmp_t; -files_tmp_file(livecd_tmp_t) - -######################################## -# -# livecd local policy -# - -dontaudit livecd_t self:capability2 mac_admin; - -domain_ptrace_all_domains(livecd_t) - -manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) - -optional_policy(` - unconfined_domain(livecd_t) -') - -optional_policy(` - hal_dbus_chat(livecd_t) -') diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc deleted file mode 100644 index 8549f9fe7..000000000 --- a/policy/modules/apps/loadkeys.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) -/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if deleted file mode 100644 index b55edd05b..000000000 --- a/policy/modules/apps/loadkeys.if +++ /dev/null @@ -1,67 +0,0 @@ -## Load keyboard mappings. - -######################################## -## -## Execute the loadkeys program in the loadkeys domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`loadkeys_domtrans',` - gen_require(` - type loadkeys_t, loadkeys_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) - - ifdef(`hide_broken_symptoms',` - dontaudit loadkeys_t $1:socket_class_set { read write }; - ') -') - -######################################## -## -## Execute the loadkeys program in the loadkeys domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the loadkeys domain. -## -## -## -# -interface(`loadkeys_run',` - gen_require(` - type loadkeys_t; - ') - - loadkeys_domtrans($1) - role $2 types loadkeys_t; -') - -######################################## -## -## Execute the loadkeys program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`loadkeys_exec',` - gen_require(` - type loadkeys_exec_t; - ') - - can_exec($1, loadkeys_exec_t) -') diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te deleted file mode 100644 index 2523758ca..000000000 --- a/policy/modules/apps/loadkeys.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(loadkeys, 1.8.0) - -######################################## -# -# Declarations -# - -# cjp: this should probably be rewritten -# per user domain, since it can rw -# all user domain ttys -type loadkeys_t; -type loadkeys_exec_t; -init_system_domain(loadkeys_t, loadkeys_exec_t) - -######################################## -# -# Local policy -# - -allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; -allow loadkeys_t self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(loadkeys_t) - -corecmd_exec_bin(loadkeys_t) -corecmd_exec_shell(loadkeys_t) - -files_read_etc_files(loadkeys_t) -files_read_etc_runtime_files(loadkeys_t) - -term_dontaudit_use_console(loadkeys_t) -term_use_unallocated_ttys(loadkeys_t) - -init_dontaudit_use_fds(loadkeys_t) -init_dontaudit_use_script_ptys(loadkeys_t) - -locallogin_use_fds(loadkeys_t) - -miscfiles_read_localization(loadkeys_t) - -userdom_use_user_ttys(loadkeys_t) -userdom_list_user_home_content(loadkeys_t) - -ifdef(`hide_broken_symptoms',` - dev_dontaudit_rw_lvm_control(loadkeys_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) -') diff --git a/policy/modules/apps/lockdev.fc b/policy/modules/apps/lockdev.fc deleted file mode 100644 index 8b5ce032e..000000000 --- a/policy/modules/apps/lockdev.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0) diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if deleted file mode 100644 index 8e7d279a3..000000000 --- a/policy/modules/apps/lockdev.if +++ /dev/null @@ -1,33 +0,0 @@ -## device locking policy for lockdev - -######################################## -## -## Role access for lockdev -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`lockdev_role',` - gen_require(` - type lockdev_t, lockdev_exec_t; - type lockdev_lock_t; - ') - - role $1 types lockdev_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, lockdev_exec_t, lockdev_t) - allow lockdev_t $2:process signull; - - # allow ps to show lockdev - ps_process_pattern($2, lockdev_t) - allow $2 lockdev_t:process signal; -') diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te deleted file mode 100644 index 0bac99632..000000000 --- a/policy/modules/apps/lockdev.te +++ /dev/null @@ -1,39 +0,0 @@ -policy_module(lockdev, 1.3.0) - -######################################## -# -# Declarations -# - -type lockdev_t; -type lockdev_exec_t; -typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t }; -typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t }; -application_domain(lockdev_t, lockdev_exec_t) -ubac_constrained(lockdev_t) - -type lockdev_lock_t; -typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t }; -typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t }; -files_lock_file(lockdev_lock_t) -ubac_constrained(lockdev_lock_t) - -######################################## -# -# Local policy -# - -# Use capabilities. -allow lockdev_t self:capability setgid; - -allow lockdev_t lockdev_lock_t:file manage_file_perms; -files_lock_filetrans(lockdev_t, lockdev_lock_t, file) - -files_read_all_locks(lockdev_t) - -fs_getattr_xattr_fs(lockdev_t) - -logging_send_syslog_msg(lockdev_t) - -userdom_use_user_terminals(lockdev_t) - diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc deleted file mode 100644 index b01bc9131..000000000 --- a/policy/modules/apps/mono.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if deleted file mode 100644 index 7b08e138e..000000000 --- a/policy/modules/apps/mono.if +++ /dev/null @@ -1,138 +0,0 @@ -## Run .NET server and client applications on Linux. - -####################################### -## -## The role template for the mono module. -## -## -##

-## This template creates a derived domains which are used -## for mono applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`mono_role_template',` - gen_require(` - type mono_exec_t; - ') - - type $1_mono_t; - domain_type($1_mono_t) - domain_entry_file($1_mono_t, mono_exec_t) - role $2 types $1_mono_t; - - domain_interactive_fd($1_mono_t) - application_type($1_mono_t) - - allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; - - allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; - - domtrans_pattern($3, mono_exec_t, $1_mono_t) - - fs_dontaudit_rw_tmpfs_files($1_mono_t) - corecmd_bin_domtrans($1_mono_t, $1_t) - - userdom_manage_user_tmpfs_files($1_mono_t) - - optional_policy(` - xserver_role($1_r, $1_mono_t) - ') -') - -######################################## -## -## Execute the mono program in the mono domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mono_domtrans',` - gen_require(` - type mono_t, mono_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mono_exec_t, mono_t) -') - -######################################## -## -## Execute mono in the mono domain, and -## allow the specified role the mono domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`mono_run',` - gen_require(` - type mono_t; - ') - - mono_domtrans($1) - role $2 types mono_t; -') - -######################################## -## -## Execute the mono program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mono_exec',` - gen_require(` - type mono_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, mono_exec_t) -') - -######################################## -## -## Read and write to mono shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mono_rw_shm',` - gen_require(` - type mono_t; - ') - - allow $1 mono_t:shm rw_shm_perms; -') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te deleted file mode 100644 index dff0f1279..000000000 --- a/policy/modules/apps/mono.te +++ /dev/null @@ -1,52 +0,0 @@ -policy_module(mono, 1.8.0) - -######################################## -# -# Declarations -# - -type mono_t; -type mono_exec_t; -application_type(mono_t) -init_system_domain(mono_t, mono_exec_t) - -######################################## -# -# Local policy -# - -allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; - -init_dbus_chat_script(mono_t) - -userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - avahi_dbus_chat(mono_t) -') - -optional_policy(` - cups_dbus_chat(mono_t) -') - -optional_policy(` - hal_dbus_chat(mono_t) -') - -optional_policy(` - networkmanager_dbus_chat(mono_t) -') - -optional_policy(` - rpm_dbus_chat(mono_t) -') - -optional_policy(` - unconfined_domain(mono_t) - unconfined_dbus_chat(mono_t) - unconfined_dbus_connect(mono_t) -') - -optional_policy(` - xserver_rw_shm(mono_t) -') diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc deleted file mode 100644 index 93ac529f9..000000000 --- a/policy/modules/apps/mozilla.fc +++ /dev/null @@ -1,29 +0,0 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - -# -# /bin -# -/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - -# -# /lib -# -/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if deleted file mode 100644 index fbb5c5aaf..000000000 --- a/policy/modules/apps/mozilla.if +++ /dev/null @@ -1,306 +0,0 @@ -## Policy for Mozilla and related web browsers - -######################################## -## -## Role access for mozilla -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`mozilla_role',` - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; - ') - - role $1 types mozilla_t; - - domain_auto_trans($2, mozilla_exec_t, mozilla_t) - # Unrestricted inheritance from the caller. - allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; - allow mozilla_t $2:fd use; - allow mozilla_t $2:process { sigchld signull }; - allow mozilla_t $2:unix_stream_socket connectto; - - # Allow the user domain to signal/ps. - ps_process_pattern($2, mozilla_t) - allow $2 mozilla_t:process signal_perms; - - allow $2 mozilla_t:fd use; - allow $2 mozilla_t:shm { associate getattr }; - allow $2 mozilla_t:shm { unix_read unix_write }; - allow $2 mozilla_t:unix_stream_socket connectto; - - # X access, Home files - manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) - manage_files_pattern($2, mozilla_home_t, mozilla_home_t) - manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - - mozilla_run_plugin(mozilla_t, $1) - mozilla_dbus_chat($2) - - optional_policy(` - pulseaudio_role($1, mozilla_t) - ') -') - -######################################## -## -## Read mozilla home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_read_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file read_file_perms; - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Write mozilla home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_write_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - write_files_pattern($1, mozilla_home_t, mozilla_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Dontaudit attempts to read/write mozilla home directory content -## -## -## -## Domain to not audit. -## -## -# -interface(`mozilla_dontaudit_rw_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:file rw_file_perms; -') - -######################################## -## -## Dontaudit attempts to write mozilla home directory content -## -## -## -## Domain to not audit. -## -## -# -interface(`mozilla_dontaudit_manage_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:dir manage_dir_perms; - dontaudit $1 mozilla_home_t:file manage_file_perms; -') - -######################################## -## -## Execute mozilla home directory content. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_exec_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - can_exec($1, mozilla_home_t) -') - -######################################## -## -## Execmod mozilla home directory content. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_execmod_user_home_files',` - gen_require(` - type mozilla_home_t; - ') - - allow $1 mozilla_home_t:file execmod; -') - -######################################## -## -## Run mozilla in the mozilla domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mozilla_domtrans',` - gen_require(` - type mozilla_t, mozilla_exec_t; - ') - - domtrans_pattern($1, mozilla_exec_t, mozilla_t) -') - -######################################## -## -## Execute a domain transition to run mozilla_plugin. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_domtrans_plugin',` - gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; - class dbus send_msg; - ') - - domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) - allow mozilla_plugin_t $1:process signull; -') - -######################################## -## -## Execute mozilla_plugin in the mozilla_plugin domain, and -## allow the specified role the mozilla_plugin domain. -## -## -## -## Domain allowed access -## -## -## -## -## The role to be allowed the mozilla_plugin domain. -## -## -# -interface(`mozilla_run_plugin',` - gen_require(` - type mozilla_plugin_t; - ') - - mozilla_domtrans_plugin($1) - role $2 types mozilla_plugin_t; -') - -######################################## -## -## Send and receive messages from -## mozilla over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_dbus_chat',` - gen_require(` - type mozilla_t; - class dbus send_msg; - ') - - allow $1 mozilla_t:dbus send_msg; - allow mozilla_t $1:dbus send_msg; -') - -######################################## -## -## read/write mozilla per user tcp_socket -## -## -## -## Domain allowed access. -## -## -# -interface(`mozilla_rw_tcp_sockets',` - gen_require(` - type mozilla_t; - ') - - allow $1 mozilla_t:tcp_socket rw_socket_perms; -') - -######################################## -## -## Read mozilla_plugin tmpfs files -## -## -## -## Domain allowed access -## -## -# -interface(`mozilla_plugin_read_tmpfs_files',` - gen_require(` - type mozilla_plugin_tmpfs_t; - ') - - allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; -') - -######################################## -## -## Delete mozilla_plugin tmpfs files -## -## -## -## Domain allowed access -## -## -# -interface(`mozilla_plugin_delete_tmpfs_files',` - gen_require(` - type mozilla_plugin_tmpfs_t; - ') - - allow $1 mozilla_plugin_tmpfs_t:file unlink; -') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te deleted file mode 100644 index 1039ff2d7..000000000 --- a/policy/modules/apps/mozilla.te +++ /dev/null @@ -1,455 +0,0 @@ -policy_module(mozilla, 2.4.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow confined web browsers to read home directory content -##

-## -gen_tunable(mozilla_read_content, false) - -type mozilla_t; -type mozilla_exec_t; -typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; -application_domain(mozilla_t, mozilla_exec_t) -ubac_constrained(mozilla_t) - -type mozilla_conf_t; -files_config_file(mozilla_conf_t) - -type mozilla_home_t; -typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; -typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -userdom_user_home_content(mozilla_home_t) - -type mozilla_plugin_t; -type mozilla_plugin_exec_t; -application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -role system_r types mozilla_plugin_t; - -type mozilla_plugin_tmp_t; -files_tmp_file(mozilla_plugin_tmp_t) -ubac_constrained(mozilla_plugin_tmp_t) - -type mozilla_plugin_tmpfs_t; -files_tmpfs_file(mozilla_plugin_tmpfs_t) -ubac_constrained(mozilla_plugin_tmpfs_t) - -type mozilla_tmp_t; -files_tmp_file(mozilla_tmp_t) -ubac_constrained(mozilla_tmp_t) - -type mozilla_tmpfs_t; -typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t }; -typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; -files_tmpfs_file(mozilla_tmpfs_t) -ubac_constrained(mozilla_tmpfs_t) - -######################################## -# -# Local policy -# - -allow mozilla_t self:capability { sys_nice setgid setuid }; -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; -allow mozilla_t self:fifo_file rw_fifo_file_perms; -allow mozilla_t self:shm { unix_read unix_write read write destroy create }; -allow mozilla_t self:sem create_sem_perms; -allow mozilla_t self:socket create_socket_perms; -allow mozilla_t self:unix_stream_socket { listen accept }; -# Browse the web, connect to printer -allow mozilla_t self:tcp_socket create_socket_perms; -allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; - -# for bash - old mozilla binary -can_exec(mozilla_t, mozilla_exec_t) - -# X access, Home files -manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -userdom_search_user_home_dirs(mozilla_t) -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) - -# Mozpluggerrc -allow mozilla_t mozilla_conf_t:file read_file_perms; - -manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) - -manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(mozilla_t) -kernel_read_network_state(mozilla_t) -# Access /proc, sysctl -kernel_read_system_state(mozilla_t) -kernel_read_net_sysctls(mozilla_t) - -# Look for plugins -corecmd_list_bin(mozilla_t) -# for bash - old mozilla binary -corecmd_exec_shell(mozilla_t) -corecmd_exec_bin(mozilla_t) - -# Browse the web, connect to printer -corenet_all_recvfrom_unlabeled(mozilla_t) -corenet_all_recvfrom_netlabel(mozilla_t) -corenet_tcp_sendrecv_generic_if(mozilla_t) -corenet_raw_sendrecv_generic_if(mozilla_t) -corenet_tcp_sendrecv_generic_node(mozilla_t) -corenet_raw_sendrecv_generic_node(mozilla_t) -corenet_tcp_sendrecv_http_port(mozilla_t) -corenet_tcp_sendrecv_http_cache_port(mozilla_t) -corenet_tcp_sendrecv_squid_port(mozilla_t) -corenet_tcp_sendrecv_ftp_port(mozilla_t) -corenet_tcp_sendrecv_ipp_port(mozilla_t) -corenet_tcp_connect_http_port(mozilla_t) -corenet_tcp_connect_http_cache_port(mozilla_t) -corenet_tcp_connect_squid_port(mozilla_t) -corenet_tcp_connect_ftp_port(mozilla_t) -corenet_tcp_connect_ipp_port(mozilla_t) -corenet_tcp_connect_generic_port(mozilla_t) -corenet_tcp_connect_soundd_port(mozilla_t) -corenet_sendrecv_http_client_packets(mozilla_t) -corenet_sendrecv_http_cache_client_packets(mozilla_t) -corenet_sendrecv_squid_client_packets(mozilla_t) -corenet_sendrecv_ftp_client_packets(mozilla_t) -corenet_sendrecv_ipp_client_packets(mozilla_t) -corenet_sendrecv_generic_client_packets(mozilla_t) -# Should not need other ports -corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) -corenet_dontaudit_tcp_bind_generic_port(mozilla_t) -corenet_tcp_connect_speech_port(mozilla_t) - -dev_read_urand(mozilla_t) -dev_read_rand(mozilla_t) -dev_write_sound(mozilla_t) -dev_read_sound(mozilla_t) -dev_dontaudit_rw_dri(mozilla_t) -dev_getattr_sysfs_dirs(mozilla_t) - -domain_dontaudit_read_all_domains_state(mozilla_t) - -files_read_etc_runtime_files(mozilla_t) -files_read_usr_files(mozilla_t) -files_read_etc_files(mozilla_t) -# /var/lib -files_read_var_lib_files(mozilla_t) -# interacting with gstreamer -files_read_var_files(mozilla_t) -files_read_var_symlinks(mozilla_t) -files_dontaudit_getattr_boot_dirs(mozilla_t) - -fs_search_auto_mountpoints(mozilla_t) -fs_list_inotifyfs(mozilla_t) -fs_rw_tmpfs_files(mozilla_t) - -term_dontaudit_getattr_pty_dirs(mozilla_t) - -logging_send_syslog_msg(mozilla_t) - -miscfiles_read_fonts(mozilla_t) -miscfiles_read_localization(mozilla_t) -miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) - -# Browse the web, connect to printer -sysnet_dns_name_resolve(mozilla_t) - -userdom_use_user_ptys(mozilla_t) - -xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) -xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) - -tunable_policy(`allow_execmem',` - allow mozilla_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_t) - fs_manage_nfs_files(mozilla_t) - fs_manage_nfs_symlinks(mozilla_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_t) - fs_manage_cifs_files(mozilla_t) - fs_manage_cifs_symlinks(mozilla_t) -') - -# Uploads, local html -tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(mozilla_t) - files_list_home(mozilla_t) - fs_read_nfs_files(mozilla_t) - fs_read_nfs_symlinks(mozilla_t) - -',` - files_dontaudit_list_home(mozilla_t) - fs_dontaudit_list_auto_mountpoints(mozilla_t) - fs_dontaudit_read_nfs_files(mozilla_t) - fs_dontaudit_list_nfs(mozilla_t) -') - -tunable_policy(`mozilla_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints(mozilla_t) - files_list_home(mozilla_t) - fs_read_cifs_files(mozilla_t) - fs_read_cifs_symlinks(mozilla_t) -',` - files_dontaudit_list_home(mozilla_t) - fs_dontaudit_list_auto_mountpoints(mozilla_t) - fs_dontaudit_read_cifs_files(mozilla_t) - fs_dontaudit_list_cifs(mozilla_t) -') - -tunable_policy(`mozilla_read_content',` - userdom_list_user_tmp(mozilla_t) - userdom_read_user_tmp_files(mozilla_t) - userdom_read_user_tmp_symlinks(mozilla_t) - userdom_read_user_home_content_files(mozilla_t) - userdom_read_user_home_content_symlinks(mozilla_t) - - ifndef(`enable_mls',` - fs_search_removable(mozilla_t) - fs_read_removable_files(mozilla_t) - fs_read_removable_symlinks(mozilla_t) - ') -',` - files_dontaudit_list_tmp(mozilla_t) - files_dontaudit_list_home(mozilla_t) - fs_dontaudit_list_removable(mozilla_t) - fs_dontaudit_read_removable_files(mozilla_t) - userdom_dontaudit_list_user_tmp(mozilla_t) - userdom_dontaudit_read_user_tmp_files(mozilla_t) - userdom_dontaudit_list_user_home_dirs(mozilla_t) - userdom_dontaudit_read_user_home_content_files(mozilla_t) -') - -optional_policy(` - apache_read_user_scripts(mozilla_t) - apache_read_user_content(mozilla_t) -') - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_t) -') - -optional_policy(` - cups_read_rw_config(mozilla_t) - cups_dbus_chat(mozilla_t) -') - -optional_policy(` - dbus_system_bus_client(mozilla_t) - dbus_session_bus_client(mozilla_t) - - optional_policy(` - networkmanager_dbus_chat(mozilla_t) - ') -') - -optional_policy(` - gnome_stream_connect_gconf(mozilla_t) - gnome_manage_config(mozilla_t) -') - -optional_policy(` - java_domtrans(mozilla_t) -') - -optional_policy(` - lpd_domtrans_lpr(mozilla_t) -') - -optional_policy(` - mplayer_domtrans(mozilla_t) - mplayer_read_user_home_files(mozilla_t) -') - -optional_policy(` - nscd_socket_use(mozilla_t) -') - -optional_policy(` - pulseaudio_exec(mozilla_t) - pulseaudio_stream_connect(mozilla_t) - pulseaudio_manage_home_files(mozilla_t) -') - -optional_policy(` - thunderbird_domtrans(mozilla_t) -') - -######################################## -# -# mozilla_plugin local policy -# - -dontaudit mozilla_plugin_t self:capability { sys_ptrace }; -allow mozilla_plugin_t self:process { setsched signal_perms execmem }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; -allow mozilla_plugin_t self:udp_socket create_socket_perms; -allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; -allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; -allow mozilla_plugin_t self:sem create_sem_perms; -allow mozilla_plugin_t self:shm create_shm_perms; - -can_exec(mozilla_plugin_t, mozilla_home_t) -read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) - -manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) - -manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - -can_exec(mozilla_plugin_t, mozilla_exec_t) - -kernel_read_kernel_sysctls(mozilla_plugin_t) -kernel_read_system_state(mozilla_plugin_t) -kernel_read_network_state(mozilla_plugin_t) -kernel_request_load_module(mozilla_plugin_t) - -corecmd_exec_bin(mozilla_plugin_t) -corecmd_exec_shell(mozilla_plugin_t) - -corenet_all_recvfrom_netlabel(mozilla_plugin_t) -corenet_all_recvfrom_unlabeled(mozilla_plugin_t) -corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) -corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) -corenet_tcp_connect_generic_port(mozilla_plugin_t) -corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) -corenet_tcp_connect_http_port(mozilla_plugin_t) -corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -corenet_tcp_connect_squid_port(mozilla_plugin_t) -corenet_tcp_connect_ipp_port(mozilla_plugin_t) -corenet_tcp_connect_mmcc_port(mozilla_plugin_t) -corenet_tcp_connect_speech_port(mozilla_plugin_t) - -dev_read_rand(mozilla_plugin_t) -dev_read_urand(mozilla_plugin_t) -dev_read_video_dev(mozilla_plugin_t) -dev_write_video_dev(mozilla_plugin_t) -dev_read_sysfs(mozilla_plugin_t) -dev_read_sound(mozilla_plugin_t) -dev_write_sound(mozilla_plugin_t) -# for nvidia driver -dev_rw_xserver_misc(mozilla_plugin_t) -dev_dontaudit_rw_dri(mozilla_plugin_t) - -domain_use_interactive_fds(mozilla_plugin_t) -domain_dontaudit_read_all_domains_state(mozilla_plugin_t) - -files_read_config_files(mozilla_plugin_t) -files_read_usr_files(mozilla_plugin_t) -files_list_mnt(mozilla_plugin_t) - -fs_getattr_all_fs(mozilla_plugin_t) -fs_list_dos(mozilla_plugin_t) -fs_read_dos_files(mozilla_plugin_t) - -application_dontaudit_signull(mozilla_plugin_t) - -auth_use_nsswitch(mozilla_plugin_t) - -logging_send_syslog_msg(mozilla_plugin_t) - -miscfiles_read_localization(mozilla_plugin_t) -miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) -miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) -miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) - -sysnet_dns_name_resolve(mozilla_plugin_t) - -term_getattr_all_ttys(mozilla_plugin_t) -term_getattr_all_ptys(mozilla_plugin_t) - -userdom_rw_user_tmpfs_files(mozilla_plugin_t) -userdom_dontaudit_use_user_terminals(mozilla_plugin_t) -userdom_manage_user_tmp_sockets(mozilla_plugin_t) -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_read_user_tmp_files(mozilla_plugin_t) -userdom_read_user_tmp_symlinks(mozilla_plugin_t) -userdom_read_user_home_content_files(mozilla_plugin_t) -userdom_read_user_home_content_symlinks(mozilla_plugin_t) - -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process { execmem execstack }; -') - -tunable_policy(`allow_execstack',` - allow mozilla_plugin_t self:process { execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) - fs_manage_nfs_symlinks(mozilla_plugin_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_t) - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) -') - -optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) - alsa_read_home_files(mozilla_plugin_t) -') - -optional_policy(` - dbus_system_bus_client(mozilla_plugin_t) - dbus_session_bus_client(mozilla_plugin_t) - dbus_read_lib_files(mozilla_plugin_t) -') - -optional_policy(` - gnome_manage_config(mozilla_plugin_t) -') - -optional_policy(` - java_exec(mozilla_plugin_t) -') - -optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_read_user_home_files(mozilla_plugin_t) -') - -optional_policy(` - pcscd_stream_connect(mozilla_plugin_t) -') - -optional_policy(` - pulseaudio_exec(mozilla_plugin_t) - pulseaudio_stream_connect(mozilla_plugin_t) - pulseaudio_setattr_home_dir(mozilla_plugin_t) - pulseaudio_manage_home_files(mozilla_plugin_t) -') - -optional_policy(` - xserver_read_xdm_pid(mozilla_plugin_t) - xserver_stream_connect(mozilla_plugin_t) - xserver_use_user_fonts(mozilla_plugin_t) -') diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc deleted file mode 100644 index 5a37c50d1..000000000 --- a/policy/modules/apps/mplayer.fc +++ /dev/null @@ -1,14 +0,0 @@ -# -# /etc -# -/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) - -# -# /usr -# -/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) -/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) -/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) -/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) - -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if deleted file mode 100644 index d8ea41d12..000000000 --- a/policy/modules/apps/mplayer.if +++ /dev/null @@ -1,104 +0,0 @@ -## Mplayer media player and encoder - -######################################## -## -## Role access for mplayer -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`mplayer_role',` - gen_require(` - type mencoder_t, mencoder_exec_t; - type mplayer_t, mplayer_exec_t; - type mplayer_home_t; - ') - - role $1 types { mencoder_t mplayer_t }; - - # domain transition - domtrans_pattern($2, mencoder_exec_t, mencoder_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, mencoder_t) - allow $2 mencoder_t:process signal_perms; - - # Home access - manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t) - manage_files_pattern($2, mplayer_home_t, mplayer_home_t) - manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_files_pattern($2, mplayer_home_t, mplayer_home_t) - relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) - - # domain transition - domtrans_pattern($2, mplayer_exec_t, mplayer_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, mplayer_t) - allow $2 mplayer_t:process signal_perms; -') - -######################################## -## -## Run mplayer in mplayer domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mplayer_domtrans',` - gen_require(` - type mplayer_t, mplayer_exec_t; - ') - - domtrans_pattern($1, mplayer_exec_t, mplayer_t) -') - -######################################## -## -## Execute mplayer in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`mplayer_exec',` - gen_require(` - type mplayer_exec_t; - ') - - can_exec($1, mplayer_exec_t) -') - -######################################## -## -## Read mplayer per user homedir -## -## -## -## Domain allowed access. -## -## -# -interface(`mplayer_read_user_home_files',` - gen_require(` - type mplayer_home_t; - ') - - read_files_pattern($1, mplayer_home_t, mplayer_home_t) - userdom_search_user_home_dirs($1) -') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te deleted file mode 100644 index 4c4390143..000000000 --- a/policy/modules/apps/mplayer.te +++ /dev/null @@ -1,314 +0,0 @@ -policy_module(mplayer, 2.3.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow mplayer executable stack -##

-## -gen_tunable(allow_mplayer_execstack, false) - -type mencoder_t; -type mencoder_exec_t; -typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t }; -typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t }; -application_domain(mencoder_t, mencoder_exec_t) -ubac_constrained(mencoder_t) - -type mplayer_t; -type mplayer_exec_t; -typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t }; -typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t }; -application_domain(mplayer_t, mplayer_exec_t) -ubac_constrained(mplayer_t) - -type mplayer_etc_t; -files_config_file(mplayer_etc_t) - -type mplayer_home_t; -typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; -typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; -userdom_user_home_content(mplayer_home_t) - -type mplayer_tmpfs_t; -typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t }; -typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t }; -files_tmpfs_file(mplayer_tmpfs_t) -ubac_constrained(mplayer_tmpfs_t) - -######################################## -# -# mencoder local policy -# - -manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) -manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) -manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t) - -# Read global config -allow mencoder_t mplayer_etc_t:dir list_dir_perms; -read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) -read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t) - -# Read /proc files and directories -# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. -kernel_read_system_state(mencoder_t) -# Sysctl on kernel version -kernel_read_kernel_sysctls(mencoder_t) - -# Required for win32 binary loader -dev_rwx_zero(mencoder_t) -# Access to DVD/CD/V4L -dev_read_video_dev(mencoder_t) - -# Read data in /usr/share (fonts, icons..) -files_read_usr_files(mencoder_t) -files_read_usr_symlinks(mencoder_t) - -fs_search_auto_mountpoints(mencoder_t) - -# Access to DVD/CD/V4L -storage_raw_read_removable_device(mencoder_t) - -miscfiles_read_localization(mencoder_t) - -userdom_use_user_terminals(mencoder_t) -# Handle removable media, /tmp, and /home -userdom_list_user_tmp(mencoder_t) -userdom_read_user_tmp_files(mencoder_t) -userdom_read_user_tmp_symlinks(mencoder_t) -userdom_read_user_home_content_files(mencoder_t) -userdom_read_user_home_content_symlinks(mencoder_t) - -# Read content to encode -ifndef(`enable_mls',` - fs_search_removable(mencoder_t) - fs_read_removable_files(mencoder_t) - fs_read_removable_symlinks(mencoder_t) -') - -tunable_policy(`allow_execmem',` - allow mencoder_t self:process execmem; -') - -tunable_policy(`allow_execmod',` - dev_execmod_zero(mencoder_t) -') - -tunable_policy(`allow_mplayer_execstack',` - allow mencoder_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mencoder_t) - fs_manage_nfs_files(mencoder_t) - fs_manage_nfs_symlinks(mencoder_t) - -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mencoder_t) - fs_manage_cifs_files(mencoder_t) - fs_manage_cifs_symlinks(mencoder_t) - -') - -# Read content to encode -tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints(mencoder_t) - files_list_home(mencoder_t) - fs_read_nfs_files(mencoder_t) - fs_read_nfs_symlinks(mencoder_t) - -',` - files_dontaudit_list_home(mencoder_t) - fs_dontaudit_list_auto_mountpoints(mencoder_t) - fs_dontaudit_read_nfs_files(mencoder_t) - fs_dontaudit_list_nfs(mencoder_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints(mencoder_t) - files_list_home(mencoder_t) - fs_read_cifs_files(mencoder_t) - fs_read_cifs_symlinks(mencoder_t) -',` - files_dontaudit_list_home(mencoder_t) - fs_dontaudit_list_auto_mountpoints(mencoder_t) - fs_dontaudit_read_cifs_files(mencoder_t) - fs_dontaudit_list_cifs(mencoder_t) -') - -######################################## -# -# mplayer local policy -# - -allow mplayer_t self:process { signal_perms getsched }; -allow mplayer_t self:fifo_file rw_fifo_file_perms; -allow mplayer_t self:sem create_sem_perms; -allow mplayer_t self:netlink_route_socket create_netlink_socket_perms; -allow mplayer_t self:tcp_socket create_socket_perms; -allow mplayer_t self:unix_dgram_socket sendto; - -manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) -manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) -manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) -userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir) - -manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -# Read global config -allow mplayer_t mplayer_etc_t:dir list_dir_perms; -read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) -read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t) - -kernel_dontaudit_list_unlabeled(mplayer_t) -kernel_dontaudit_getattr_unlabeled_files(mplayer_t) -kernel_dontaudit_read_unlabeled_files(mplayer_t) -# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. -kernel_read_system_state(mplayer_t) -# Sysctl on kernel version -kernel_read_kernel_sysctls(mplayer_t) - -corenet_all_recvfrom_netlabel(mplayer_t) -corenet_all_recvfrom_unlabeled(mplayer_t) -corenet_tcp_sendrecv_generic_if(mplayer_t) -corenet_tcp_sendrecv_generic_node(mplayer_t) -corenet_tcp_bind_generic_node(mplayer_t) -corenet_tcp_connect_pulseaudio_port(mplayer_t) -corenet_sendrecv_pulseaudio_client_packets(mplayer_t) - -# Run bash/sed (??) -corecmd_exec_bin(mplayer_t) -corecmd_exec_shell(mplayer_t) - -dev_read_rand(mplayer_t) -dev_read_urand(mplayer_t) -# Required for win32 binary loader -dev_rwx_zero(mplayer_t) -# Access to DVD/CD/V4L -dev_read_video_dev(mplayer_t) -dev_write_video_dev(mplayer_t) -# Audio, alsa.conf -dev_read_sound_mixer(mplayer_t) -dev_write_sound_mixer(mplayer_t) -# RTC clock -dev_read_realtime_clock(mplayer_t) - -domain_use_interactive_fds(mplayer_t) - -# Access to DVD/CD/V4L -storage_raw_read_removable_device(mplayer_t) - -files_read_etc_files(mplayer_t) -files_dontaudit_list_non_security(mplayer_t) -files_dontaudit_getattr_non_security_files(mplayer_t) -files_read_non_security_files(mplayer_t) -# Unfortunately the ancient file dialog starts in / -files_list_home(mplayer_t) -# Read /etc/mtab -files_read_etc_runtime_files(mplayer_t) -# Read data in /usr/share (fonts, icons..) -files_read_usr_files(mplayer_t) -files_read_usr_symlinks(mplayer_t) - -fs_dontaudit_getattr_all_fs(mplayer_t) -fs_search_auto_mountpoints(mplayer_t) -fs_list_inotifyfs(mplayer_t) - -miscfiles_read_localization(mplayer_t) -miscfiles_read_fonts(mplayer_t) - -userdom_use_user_terminals(mplayer_t) -# Read media files -userdom_list_user_tmp(mplayer_t) -userdom_read_user_tmp_files(mplayer_t) -userdom_read_user_tmp_symlinks(mplayer_t) -userdom_read_user_home_content_files(mplayer_t) -userdom_read_user_home_content_symlinks(mplayer_t) -userdom_write_user_tmp_sockets(mplayer_t) - -xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) - -# Read songs -ifdef(`enable_mls',`',` - fs_search_removable(mplayer_t) - fs_read_removable_files(mplayer_t) - fs_read_removable_symlinks(mplayer_t) -') - -tunable_policy(`allow_execmem',` - allow mplayer_t self:process execmem; -') - -tunable_policy(`allow_execmod',` - dev_execmod_zero(mplayer_t) -') - -tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t self:process { execmem execstack }; -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mplayer_t) - fs_manage_nfs_files(mplayer_t) - fs_manage_nfs_symlinks(mplayer_t) -') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mplayer_t) - fs_manage_cifs_files(mplayer_t) - fs_manage_cifs_symlinks(mplayer_t) -') - -# Legacy domain issues -tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t mplayer_tmpfs_t:file execute; -') - -# Read songs -tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints(mplayer_t) - files_list_home(mplayer_t) - fs_read_nfs_files(mplayer_t) - fs_read_nfs_symlinks(mplayer_t) - -',` - files_dontaudit_list_home(mplayer_t) - fs_dontaudit_list_auto_mountpoints(mplayer_t) - fs_dontaudit_read_nfs_files(mplayer_t) - fs_dontaudit_list_nfs(mplayer_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints(mplayer_t) - files_list_home(mplayer_t) - fs_read_cifs_files(mplayer_t) - fs_read_cifs_symlinks(mplayer_t) -',` - files_dontaudit_list_home(mplayer_t) - fs_dontaudit_list_auto_mountpoints(mplayer_t) - fs_dontaudit_read_cifs_files(mplayer_t) - fs_dontaudit_list_cifs(mplayer_t) -') - -optional_policy(` - alsa_read_rw_config(mplayer_t) -') - -optional_policy(` - nscd_socket_use(mplayer_t) -') - -optional_policy(` - pulseaudio_exec(mplayer_t) - pulseaudio_stream_connect(mplayer_t) -') diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc deleted file mode 100644 index 6fbc01c31..000000000 --- a/policy/modules/apps/podsleuth.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if deleted file mode 100644 index d6d80a0c7..000000000 --- a/policy/modules/apps/podsleuth.if +++ /dev/null @@ -1,45 +0,0 @@ -## Podsleuth is a tool to get information about an Apple (TM) iPod (TM) - -######################################## -## -## Execute a domain transition to run podsleuth. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`podsleuth_domtrans',` - gen_require(` - type podsleuth_t, podsleuth_exec_t; - ') - - domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) - allow $1 podsleuth_t:process signal; -') - -######################################## -## -## Execute podsleuth in the podsleuth domain, and -## allow the specified role the podsleuth domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`podsleuth_run',` - gen_require(` - type podsleuth_t; - ') - - podsleuth_domtrans($1) - role $2 types podsleuth_t; -') diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te deleted file mode 100644 index b669461d9..000000000 --- a/policy/modules/apps/podsleuth.te +++ /dev/null @@ -1,89 +0,0 @@ -policy_module(podsleuth, 1.5.0) - -######################################## -# -# Declarations -# - -type podsleuth_t; -type podsleuth_exec_t; -application_domain(podsleuth_t, podsleuth_exec_t) -role system_r types podsleuth_t; - -type podsleuth_cache_t; -files_type(podsleuth_cache_t) -ubac_constrained(podsleuth_cache_t) - -type podsleuth_tmp_t; -files_tmp_file(podsleuth_tmp_t) -ubac_constrained(podsleuth_tmp_t) - -type podsleuth_tmpfs_t; -files_tmpfs_file(podsleuth_tmpfs_t) -ubac_constrained(podsleuth_tmpfs_t) - -######################################## -# -# podsleuth local policy -# -allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; -allow podsleuth_t self:fifo_file rw_file_perms; -allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; -allow podsleuth_t self:sem create_sem_perms; -allow podsleuth_t self:tcp_socket create_stream_socket_perms; -allow podsleuth_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) - -allow podsleuth_t podsleuth_tmp_t:dir mounton; -manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) - -manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) -fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) - -kernel_read_system_state(podsleuth_t) -kernel_request_load_module(podsleuth_t) - -corecmd_exec_bin(podsleuth_t) - -corenet_tcp_connect_http_port(podsleuth_t) - -dev_read_urand(podsleuth_t) - -files_read_etc_files(podsleuth_t) - -fs_mount_dos_fs(podsleuth_t) -fs_unmount_dos_fs(podsleuth_t) -fs_getattr_dos_fs(podsleuth_t) -fs_read_dos_files(podsleuth_t) -fs_search_dos(podsleuth_t) -fs_getattr_tmpfs(podsleuth_t) -fs_list_tmpfs(podsleuth_t) -fs_rw_removable_blk_files(podsleuth_t) - -miscfiles_read_localization(podsleuth_t) - -sysnet_dns_name_resolve(podsleuth_t) - -userdom_signal_unpriv_users(podsleuth_t) -userdom_signull_unpriv_users(podsleuth_t) -userdom_read_user_tmpfs_files(podsleuth_t) - -optional_policy(` - dbus_system_bus_client(podsleuth_t) - - optional_policy(` - hal_dbus_chat(podsleuth_t) - ') -') - -optional_policy(` - mono_exec(podsleuth_t) -') diff --git a/policy/modules/apps/ptchown.fc b/policy/modules/apps/ptchown.fc deleted file mode 100644 index 9fc398e8f..000000000 --- a/policy/modules/apps/ptchown.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) diff --git a/policy/modules/apps/ptchown.if b/policy/modules/apps/ptchown.if deleted file mode 100644 index 96cc0237f..000000000 --- a/policy/modules/apps/ptchown.if +++ /dev/null @@ -1,44 +0,0 @@ -## helper function for grantpt(3), changes ownship and permissions of pseudotty - -######################################## -## -## Execute a domain transition to run ptchown. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ptchown_domtrans',` - gen_require(` - type ptchown_t, ptchown_exec_t; - ') - - domtrans_pattern($1, ptchown_exec_t, ptchown_t) -') - -######################################## -## -## Execute ptchown in the ptchown domain, and -## allow the specified role the ptchown domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`ptchown_run',` - gen_require(` - type ptchown_t; - ') - - ptchown_domtrans($1) - role $2 types ptchown_t; -') diff --git a/policy/modules/apps/ptchown.te b/policy/modules/apps/ptchown.te deleted file mode 100644 index d90245a23..000000000 --- a/policy/modules/apps/ptchown.te +++ /dev/null @@ -1,31 +0,0 @@ -policy_module(ptchown, 1.1.0) - -######################################## -# -# Declarations -# - -type ptchown_t; -type ptchown_exec_t; -application_domain(ptchown_t, ptchown_exec_t) -role system_r types ptchown_t; - -######################################## -# -# ptchown local policy -# - -allow ptchown_t self:capability { chown fowner fsetid setuid }; -allow ptchown_t self:process { getcap setcap }; - -files_read_etc_files(ptchown_t) - -fs_rw_anon_inodefs_files(ptchown_t) - -term_setattr_generic_ptys(ptchown_t) -term_getattr_all_ptys(ptchown_t) -term_setattr_all_ptys(ptchown_t) -term_use_generic_ptys(ptchown_t) -term_use_ptmx(ptchown_t) - -miscfiles_read_localization(ptchown_t) diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc deleted file mode 100644 index 84f23dcad..000000000 --- a/policy/modules/apps/pulseaudio.fc +++ /dev/null @@ -1,7 +0,0 @@ -HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) -HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - -/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) - -/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) -/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if deleted file mode 100644 index f40c64dc4..000000000 --- a/policy/modules/apps/pulseaudio.if +++ /dev/null @@ -1,260 +0,0 @@ -## Pulseaudio network sound server. - -######################################## -## -## Role access for pulseaudio -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`pulseaudio_role',` - gen_require(` - type pulseaudio_t, pulseaudio_exec_t; - class dbus { acquire_svc send_msg }; - ') - - role $1 types pulseaudio_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) - - ps_process_pattern($2, pulseaudio_t) - - allow pulseaudio_t $2:process { signal signull }; - allow $2 pulseaudio_t:process { signal signull sigkill }; - ps_process_pattern(pulseaudio_t, $2) - - allow pulseaudio_t $2:unix_stream_socket connectto; - allow $2 pulseaudio_t:unix_stream_socket connectto; - - allow $2 pulseaudio_t:dbus send_msg; - allow pulseaudio_t $2:dbus { acquire_svc send_msg }; -') - -######################################## -## -## Execute a domain transition to run pulseaudio. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pulseaudio_domtrans',` - gen_require(` - type pulseaudio_t, pulseaudio_exec_t; - ') - - domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) -') - -######################################## -## -## Execute pulseaudio in the pulseaudio domain, and -## allow the specified role the pulseaudio domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`pulseaudio_run',` - gen_require(` - type pulseaudio_t; - ') - - pulseaudio_domtrans($1) - role $2 types pulseaudio_t; -') - -######################################## -## -## Execute a pulseaudio in the current domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_exec',` - gen_require(` - type pulseaudio_exec_t; - ') - - can_exec($1, pulseaudio_exec_t) -') - -######################################## -## -## Do not audit to execute a pulseaudio. -## -## -## -## Domain to not audit. -## -## -# -interface(`pulseaudio_dontaudit_exec',` - gen_require(` - type pulseaudio_exec_t; - ') - - dontaudit $1 pulseaudio_exec_t:file exec_file_perms; -') - -######################################## -## -## Send signull signal to pulseaudio -## processes. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_signull',` - gen_require(` - type pulseaudio_t; - ') - - allow $1 pulseaudio_t:process signull; -') - -##################################### -## -## Connect to pulseaudio over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_stream_connect',` - gen_require(` - type pulseaudio_t, pulseaudio_var_run_t; - ') - - files_search_pids($1) - allow $1 pulseaudio_t:process signull; - allow pulseaudio_t $1:process signull; - stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) -') - -######################################## -## -## Send and receive messages from -## pulseaudio over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_dbus_chat',` - gen_require(` - type pulseaudio_t; - class dbus send_msg; - ') - - allow $1 pulseaudio_t:dbus send_msg; - allow pulseaudio_t $1:dbus send_msg; -') - -######################################## -## -## Set the attributes of the pulseaudio homedir. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_setattr_home_dir',` - gen_require(` - type pulseaudio_home_t; - ') - - allow $1 pulseaudio_home_t:dir setattr; -') - -######################################## -## -## Read pulseaudio homedir files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_read_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -') - -######################################## -## -## Read and write Pulse Audio files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_rw_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - - rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Create, read, write, and delete pulseaudio -## home directory files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pulseaudio_manage_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te deleted file mode 100644 index a15489a7a..000000000 --- a/policy/modules/apps/pulseaudio.te +++ /dev/null @@ -1,150 +0,0 @@ -policy_module(pulseaudio, 1.4.0) - -######################################## -# -# Declarations -# - -type pulseaudio_t; -type pulseaudio_exec_t; -init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) -application_domain(pulseaudio_t, pulseaudio_exec_t) -ubac_constrained(pulseaudio_t) -role system_r types pulseaudio_t; - -type pulseaudio_home_t; -userdom_user_home_content(pulseaudio_home_t) - -type pulseaudio_tmpfs_t; -files_tmpfs_file(pulseaudio_tmpfs_t) -ubac_constrained(pulseaudio_tmpfs_t) - -type pulseaudio_var_lib_t; -files_type(pulseaudio_var_lib_t) -ubac_constrained(pulseaudio_var_lib_t) - -type pulseaudio_var_run_t; -files_pid_file(pulseaudio_var_run_t) -ubac_constrained(pulseaudio_var_run_t) - -######################################## -# -# pulseaudio local policy -# - -allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; -allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; -allow pulseaudio_t self:fifo_file rw_file_perms; -allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; -allow pulseaudio_t self:tcp_socket create_stream_socket_perms; -allow pulseaudio_t self:udp_socket create_socket_perms; -allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -userdom_search_user_home_dirs(pulseaudio_t) - -manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) - -manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) - -can_exec(pulseaudio_t, pulseaudio_exec_t) - -kernel_getattr_proc(pulseaudio_t) -kernel_read_system_state(pulseaudio_t) -kernel_read_kernel_sysctls(pulseaudio_t) - -corecmd_exec_bin(pulseaudio_t) - -corenet_all_recvfrom_unlabeled(pulseaudio_t) -corenet_all_recvfrom_netlabel(pulseaudio_t) -corenet_tcp_bind_pulseaudio_port(pulseaudio_t) -corenet_tcp_bind_soundd_port(pulseaudio_t) -corenet_tcp_sendrecv_generic_if(pulseaudio_t) -corenet_tcp_sendrecv_generic_node(pulseaudio_t) -corenet_udp_bind_sap_port(pulseaudio_t) -corenet_udp_sendrecv_generic_if(pulseaudio_t) -corenet_udp_sendrecv_generic_node(pulseaudio_t) - -dev_read_sound(pulseaudio_t) -dev_write_sound(pulseaudio_t) -dev_read_sysfs(pulseaudio_t) -dev_read_urand(pulseaudio_t) - -files_read_etc_files(pulseaudio_t) -files_read_usr_files(pulseaudio_t) - -fs_rw_anon_inodefs_files(pulseaudio_t) -fs_getattr_tmpfs(pulseaudio_t) -fs_list_inotifyfs(pulseaudio_t) - -term_use_all_ttys(pulseaudio_t) -term_use_all_ptys(pulseaudio_t) - -auth_use_nsswitch(pulseaudio_t) - -logging_send_syslog_msg(pulseaudio_t) - -miscfiles_read_localization(pulseaudio_t) - -# cjp: this seems excessive. need to confirm -userdom_manage_user_home_content_files(pulseaudio_t) -userdom_manage_user_tmp_files(pulseaudio_t) -userdom_manage_user_tmpfs_files(pulseaudio_t) - -optional_policy(` - bluetooth_stream_connect(pulseaudio_t) -') - -optional_policy(` - dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) - dbus_system_bus_client(pulseaudio_t) - dbus_session_bus_client(pulseaudio_t) - dbus_connect_session_bus(pulseaudio_t) - - optional_policy(` - consolekit_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - hal_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - policykit_dbus_chat(pulseaudio_t) - ') - - optional_policy(` - rpm_dbus_chat(pulseaudio_t) - ') -') - -optional_policy(` - rtkit_scheduled(pulseaudio_t) -') - -optional_policy(` - policykit_domtrans_auth(pulseaudio_t) - policykit_read_lib(pulseaudio_t) - policykit_read_reload(pulseaudio_t) -') - -optional_policy(` - udev_read_state(pulseaudio_t) - udev_read_db(pulseaudio_t) -') - -optional_policy(` - xserver_stream_connect(pulseaudio_t) - xserver_manage_xdm_tmp_files(pulseaudio_t) - xserver_read_xdm_lib_files(pulseaudio_t) - xserver_read_xdm_pid(pulseaudio_t) - xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) -') diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc deleted file mode 100644 index 64d877ece..000000000 --- a/policy/modules/apps/qemu.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if deleted file mode 100644 index 268d69130..000000000 --- a/policy/modules/apps/qemu.if +++ /dev/null @@ -1,309 +0,0 @@ -## QEMU machine emulator and virtualizer - -######################################## -## -## Creates types and rules for a basic -## qemu process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`qemu_domain_template',` - - ############################## - # - # Local Policy - # - - type $1_t; - domain_type($1_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - ############################## - # - # Local Policy - # - - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:tun_socket create; - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - kernel_read_system_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) - -# dev_rw_kvm($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) - - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) - - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) - - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - - userdom_use_user_terminals($1_t) - userdom_attach_admin_tun_iface($1_t) - - optional_policy(` - samba_domtrans_smbd($1_t) - ') - - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) - virt_attach_tun_iface($1_t) - ') - - optional_policy(` - xserver_stream_connect($1_t) - xserver_read_xdm_tmp_files($1_t) - xserver_read_xdm_pid($1_t) -# xserver_xdm_rw_shm($1_t) - ') -') - -####################################### -## -## The per role template for the qemu module. -## -## -##

-## This template creates a derived domains which are used -## for qemu web browser. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`qemu_role',` - gen_require(` - type qemu_t, qemu_exec_t; - type qemu_config_t, qemu_config_exec_t; - ') - - role $1 types { qemu_t qemu_config_t }; - - domtrans_pattern($2, qemu_exec_t, qemu_t) - domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) - allow qemu_t $2:process signull; -') - -######################################## -## -## Execute a domain transition to run qemu. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qemu_domtrans',` - gen_require(` - type qemu_t, qemu_exec_t; - ') - - domtrans_pattern($1, qemu_exec_t, qemu_t) -') - -######################################## -## -## Execute qemu in the qemu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the qemu domain. -## -## -## -# -interface(`qemu_run',` - gen_require(` - type qemu_t; - ') - - qemu_domtrans($1) - role $2 types qemu_t; - allow qemu_t $1:process signull; - allow $1 qemu_t:process signull; -') - -######################################## -## -## Allow the domain to read state files in /proc. -## -## -## -## Domain to allow access. -## -## -# -interface(`qemu_read_state',` - gen_require(` - type qemu_t; - ') - - read_files_pattern($1, qemu_t, qemu_t) -') - -######################################## -## -## Set the schedule on qemu. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_setsched',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process setsched; -') - -######################################## -## -## Send a signal to qemu. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_signal',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process signal; -') - -######################################## -## -## Send a sigill to qemu -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_kill',` - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process sigkill; -') - -######################################## -## -## Execute a domain transition to run qemu unconfined. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qemu_domtrans_unconfined',` - gen_require(` - type unconfined_qemu_t, qemu_exec_t; - ') - - domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) -') - -######################################## -## -## Manage qemu temporary dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_manage_tmp_dirs',` - gen_require(` - type qemu_tmp_t; - ') - - manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) -') - -######################################## -## -## Manage qemu temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qemu_manage_tmp_files',` - gen_require(` - type qemu_tmp_t; - ') - - manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) -') diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te deleted file mode 100644 index 9cf99925f..000000000 --- a/policy/modules/apps/qemu.te +++ /dev/null @@ -1,128 +0,0 @@ -policy_module(qemu, 1.6.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow qemu to connect fully to the network -##

-## -gen_tunable(qemu_full_network, false) - -## -##

-## Allow qemu to use cifs/Samba file systems -##

-## -gen_tunable(qemu_use_cifs, true) - -## -##

-## Allow qemu to use serial/parallel communication ports -##

-## -gen_tunable(qemu_use_comm, false) - -## -##

-## Allow qemu to use nfs file systems -##

-## -gen_tunable(qemu_use_nfs, true) - -## -##

-## Allow qemu to use usb devices -##

-## -gen_tunable(qemu_use_usb, true) - -type qemu_exec_t; -virt_domain_template(qemu) -application_domain(qemu_t, qemu_exec_t) -role system_r types qemu_t; - -######################################## -# -# qemu local policy -# - -storage_raw_write_removable_device(qemu_t) -storage_raw_read_removable_device(qemu_t) - -userdom_search_user_home_content(qemu_t) -userdom_read_user_tmpfs_files(qemu_t) - -tunable_policy(`qemu_full_network',` - allow qemu_t self:udp_socket create_socket_perms; - - corenet_udp_sendrecv_generic_if(qemu_t) - corenet_udp_sendrecv_generic_node(qemu_t) - corenet_udp_sendrecv_all_ports(qemu_t) - corenet_udp_bind_generic_node(qemu_t) - corenet_udp_bind_all_ports(qemu_t) - corenet_tcp_bind_all_ports(qemu_t) - corenet_tcp_connect_all_ports(qemu_t) -') - -tunable_policy(`qemu_use_cifs',` - fs_manage_cifs_dirs(qemu_t) - fs_manage_cifs_files(qemu_t) -') - -tunable_policy(`qemu_use_comm',` - term_use_unallocated_ttys(qemu_t) - dev_rw_printer(qemu_t) -') - -tunable_policy(`qemu_use_nfs',` - fs_manage_nfs_dirs(qemu_t) - fs_manage_nfs_files(qemu_t) -') - -tunable_policy(`qemu_use_usb',` - dev_rw_usbfs(qemu_t) - fs_manage_dos_dirs(qemu_t) - fs_manage_dos_files(qemu_t) -') - -optional_policy(` - dbus_read_lib_files(qemu_t) -') - -optional_policy(` - pulseaudio_manage_home_files(qemu_t) - pulseaudio_stream_connect(qemu_t) -') - -optional_policy(` - virt_manage_images(qemu_t) - virt_append_log(qemu_t) -') - -optional_policy(` - xen_rw_image_files(qemu_t) -') - -optional_policy(` - xserver_read_xdm_pid(qemu_t) - xserver_stream_connect(qemu_t) -') - -######################################## -# -# Unconfined qemu local policy -# - -optional_policy(` - type unconfined_qemu_t; - typealias unconfined_qemu_t alias qemu_unconfined_t; - application_type(unconfined_qemu_t) - unconfined_domain(unconfined_qemu_t) - - allow unconfined_qemu_t self:process { execstack execmem }; - allow unconfined_qemu_t qemu_exec_t:file execmod; -') diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc deleted file mode 100644 index 4c091ca37..000000000 --- a/policy/modules/apps/rssh.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if deleted file mode 100644 index cb3d9737b..000000000 --- a/policy/modules/apps/rssh.if +++ /dev/null @@ -1,103 +0,0 @@ -## Restricted (scp/sftp) only shell - -######################################## -## -## Role access for rssh -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`rssh_role',` - gen_require(` - type rssh_t; - ') - - role $1 types rssh_t; - - # allow ps to show irc - ps_process_pattern($2, rssh_t) - allow $2 rssh_t:process signal; -') - -######################################## -## -## Transition to all user rssh domains. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rssh_spec_domtrans',` - gen_require(` - type rssh_t, rssh_exec_t; - ') - - spec_domtrans_pattern($1, rssh_exec_t, rssh_t) -') - -######################################## -## -## Execute the rssh program -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rssh_exec',` - gen_require(` - type rssh_exec_t; - ') - - can_exec($1, rssh_exec_t) -') - -######################################## -## -## Execute a domain transition to run rssh_chroot_helper. -## -## -## -## Domain allowed access. -## -## -# -interface(`rssh_domtrans_chroot_helper',` - gen_require(` - type rssh_chroot_helper_t, rssh_chroot_helper_exec_t; - ') - - domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) -') - -######################################## -## -## Read all users rssh read-only content. -## -## -## -## Domain allowed access. -## -## -# -interface(`rssh_read_ro_content',` - gen_require(` - type rssh_ro_t; - ') - - allow $1 rssh_ro_t:dir list_dir_perms; - read_files_pattern($1, rssh_ro_t, rssh_ro_t) - read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t) -') diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te deleted file mode 100644 index 7e8bf6497..000000000 --- a/policy/modules/apps/rssh.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(rssh, 2.1.0) - -######################################## -# -# Declarations -# - -type rssh_t; -type rssh_exec_t; -typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t }; -typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t }; -application_domain(rssh_t, rssh_exec_t) -domain_user_exemption_target(rssh_t) -domain_interactive_fd(rssh_t) -ubac_constrained(rssh_t) -role system_r types rssh_t; - -type rssh_chroot_helper_t; -type rssh_chroot_helper_exec_t; -init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t) - -type rssh_devpts_t; -typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t }; -typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t }; -term_user_pty(rssh_t, rssh_devpts_t) -ubac_constrained(rssh_devpts_t) - -type rssh_ro_t; -typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t }; -typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t }; -userdom_user_home_content(rssh_ro_t) - -type rssh_rw_t; -typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; -typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; -userdom_user_home_content(rssh_rw_t) - -############################## -# -# Local policy -# - -allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow rssh_t self:fd use; -allow rssh_t self:fifo_file rw_fifo_file_perms; -allow rssh_t self:unix_dgram_socket create_socket_perms; -allow rssh_t self:unix_stream_socket create_stream_socket_perms; -allow rssh_t self:unix_dgram_socket sendto; -allow rssh_t self:unix_stream_socket connectto; -allow rssh_t self:shm create_shm_perms; -allow rssh_t self:sem create_sem_perms; -allow rssh_t self:msgq create_msgq_perms; -allow rssh_t self:msg { send receive }; - -allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr }; -term_create_pty(rssh_t, rssh_devpts_t) - -allow rssh_t rssh_ro_t:dir list_dir_perms; -read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t) - -manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t) -manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) - -kernel_read_system_state(rssh_t) -kernel_read_kernel_sysctls(rssh_t) - -files_read_etc_files(rssh_t) -files_read_etc_runtime_files(rssh_t) -files_list_home(rssh_t) -files_read_usr_files(rssh_t) -files_list_var(rssh_t) - -fs_search_auto_mountpoints(rssh_t) - -logging_send_syslog_msg(rssh_t) - -miscfiles_read_localization(rssh_t) - -rssh_domtrans_chroot_helper(rssh_t) - -ssh_rw_tcp_sockets(rssh_t) -ssh_rw_stream_sockets(rssh_t) - -optional_policy(` - nis_use_ypbind(rssh_t) -') - -######################################## -# -# rssh_chroot_helper local policy -# - -allow rssh_chroot_helper_t self:capability { sys_chroot setuid }; -allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; -allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms; - -domain_use_interactive_fds(rssh_chroot_helper_t) - -files_read_etc_files(rssh_chroot_helper_t) - -auth_use_nsswitch(rssh_chroot_helper_t) - -logging_send_syslog_msg(rssh_chroot_helper_t) - -miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/policy/modules/apps/sambagui.fc b/policy/modules/apps/sambagui.fc deleted file mode 100644 index c13d607cc..000000000 --- a/policy/modules/apps/sambagui.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --git a/policy/modules/apps/sambagui.if b/policy/modules/apps/sambagui.if deleted file mode 100644 index b31ed1073..000000000 --- a/policy/modules/apps/sambagui.if +++ /dev/null @@ -1,2 +0,0 @@ -## system-config-samba dbus service policy - diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te deleted file mode 100644 index 1898dbde8..000000000 --- a/policy/modules/apps/sambagui.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(sambagui, 1.1.0) - -######################################## -# -# Declarations -# - -type sambagui_t; -type sambagui_exec_t; -dbus_system_domain(sambagui_t, sambagui_exec_t) - -######################################## -# -# system-config-samba local policy -# - -allow sambagui_t self:capability dac_override; -allow sambagui_t self:fifo_file rw_fifo_file_perms; -allow sambagui_t self:unix_dgram_socket create_socket_perms; - -# read meminfo -kernel_read_system_state(sambagui_t) - -# execut apps of system-config-samba -corecmd_exec_shell(sambagui_t) -corecmd_exec_bin(sambagui_t) - -dev_dontaudit_read_urand(sambagui_t) - -files_read_etc_files(sambagui_t) -files_search_var_lib(sambagui_t) -files_read_usr_files(sambagui_t) - -auth_use_nsswitch(sambagui_t) - -logging_send_syslog_msg(sambagui_t) - -miscfiles_read_localization(sambagui_t) - -optional_policy(` - consoletype_exec(sambagui_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(sambagui_t) -') - -optional_policy(` - policykit_dbus_chat(sambagui_t) -') - -optional_policy(` - # handling with samba conf files - samba_append_log(sambagui_t) - samba_manage_config(sambagui_t) - samba_manage_var_files(sambagui_t) - samba_read_secrets(sambagui_t) - samba_initrc_domtrans(sambagui_t) - samba_domtrans_smbd(sambagui_t) - samba_domtrans_nmbd(sambagui_t) -') diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc deleted file mode 100644 index c8254dd87..000000000 --- a/policy/modules/apps/screen.fc +++ /dev/null @@ -1,15 +0,0 @@ -# -# /home -# -HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) -HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) - -# -# /usr -# -/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) - -# -# /var -# -/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if deleted file mode 100644 index a57e81e14..000000000 --- a/policy/modules/apps/screen.if +++ /dev/null @@ -1,163 +0,0 @@ -## GNU terminal multiplexer - -####################################### -## -## The role template for the screen module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`screen_role_template',` - gen_require(` - type screen_exec_t, screen_tmp_t; - type screen_home_t, screen_var_run_t; - ') - - ######################################## - # - # Declarations - # - - type $1_screen_t; - application_domain($1_screen_t, screen_exec_t) - domain_interactive_fd($1_screen_t) - ubac_constrained($1_screen_t) - role $2 types $1_screen_t; - - ######################################## - # - # Local policy - # - - allow $1_screen_t self:capability { setuid setgid fsetid }; - allow $1_screen_t self:process signal_perms; - allow $1_screen_t self:fifo_file rw_fifo_file_perms; - allow $1_screen_t self:tcp_socket create_stream_socket_perms; - allow $1_screen_t self:udp_socket create_socket_perms; - # Internal screen networking - allow $1_screen_t self:fd use; - allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto }; - allow $1_screen_t self:unix_dgram_socket create_socket_perms; - - manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) - files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) - - # Create fifo - manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) - files_pid_filetrans($1_screen_t, screen_var_run_t, dir) - - allow $1_screen_t screen_home_t:dir list_dir_perms; - manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) - manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) - userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) - read_files_pattern($1_screen_t, screen_home_t, screen_home_t) - read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) - - allow $1_screen_t $3:process signal; - - domtrans_pattern($3, screen_exec_t, $1_screen_t) - allow $3 $1_screen_t:process { signal sigchld }; - dontaudit $3 $1_screen_t:unix_stream_socket { read write }; - allow $1_screen_t $3:process signal; - - manage_fifo_files_pattern($3, screen_home_t, screen_home_t) - manage_dirs_pattern($3, screen_home_t, screen_home_t) - manage_files_pattern($3, screen_home_t, screen_home_t) - manage_lnk_files_pattern($3, screen_home_t, screen_home_t) - relabel_dirs_pattern($3, screen_home_t, screen_home_t) - relabel_files_pattern($3, screen_home_t, screen_home_t) - relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) - - manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) - manage_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - - kernel_read_system_state($1_screen_t) - kernel_read_kernel_sysctls($1_screen_t) - - corecmd_list_bin($1_screen_t) - corecmd_read_bin_files($1_screen_t) - corecmd_read_bin_symlinks($1_screen_t) - corecmd_read_bin_pipes($1_screen_t) - corecmd_read_bin_sockets($1_screen_t) - # Revert to the user domain when a shell is executed. - corecmd_shell_domtrans($1_screen_t, $3) - corecmd_bin_domtrans($1_screen_t, $3) - - corenet_all_recvfrom_unlabeled($1_screen_t) - corenet_all_recvfrom_netlabel($1_screen_t) - corenet_tcp_sendrecv_generic_if($1_screen_t) - corenet_udp_sendrecv_generic_if($1_screen_t) - corenet_tcp_sendrecv_generic_node($1_screen_t) - corenet_udp_sendrecv_generic_node($1_screen_t) - corenet_tcp_sendrecv_all_ports($1_screen_t) - corenet_udp_sendrecv_all_ports($1_screen_t) - corenet_tcp_connect_all_ports($1_screen_t) - - dev_dontaudit_getattr_all_chr_files($1_screen_t) - dev_dontaudit_getattr_all_blk_files($1_screen_t) - # for SSP - dev_read_urand($1_screen_t) - - domain_use_interactive_fds($1_screen_t) - - files_search_tmp($1_screen_t) - files_search_home($1_screen_t) - files_list_home($1_screen_t) - files_read_usr_files($1_screen_t) - files_read_etc_files($1_screen_t) - - fs_search_auto_mountpoints($1_screen_t) - fs_getattr_xattr_fs($1_screen_t) - - auth_domtrans_chk_passwd($1_screen_t) - auth_use_nsswitch($1_screen_t) - auth_dontaudit_read_shadow($1_screen_t) - auth_dontaudit_exec_utempter($1_screen_t) - - # Write to utmp. - init_rw_utmp($1_screen_t) - - logging_send_syslog_msg($1_screen_t) - - miscfiles_read_localization($1_screen_t) - - seutil_read_config($1_screen_t) - - userdom_use_user_terminals($1_screen_t) - userdom_create_user_pty($1_screen_t) - userdom_user_home_domtrans($1_screen_t, $3) - userdom_setattr_user_ptys($1_screen_t) - userdom_setattr_user_ttys($1_screen_t) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) - fs_read_cifs_symlinks($1_screen_t) - fs_list_cifs($1_screen_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_nfs_domtrans($1_screen_t, $3) - fs_list_nfs($1_screen_t) - fs_read_nfs_symlinks($1_screen_t) - ') -') diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te deleted file mode 100644 index 84f648c05..000000000 --- a/policy/modules/apps/screen.te +++ /dev/null @@ -1,26 +0,0 @@ -policy_module(screen, 2.4.0) - -######################################## -# -# Declarations -# - -type screen_exec_t; -application_executable_file(screen_exec_t) - -type screen_home_t; -typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t }; -typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; -userdom_user_home_content(screen_home_t) - -type screen_tmp_t; -typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; -typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; -files_tmp_file(screen_tmp_t) -ubac_constrained(screen_tmp_t) - -type screen_var_run_t; -typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; -typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; -files_pid_file(screen_var_run_t) -ubac_constrained(screen_var_run_t) diff --git a/policy/modules/apps/slocate.fc b/policy/modules/apps/slocate.fc deleted file mode 100644 index 1951c4b37..000000000 --- a/policy/modules/apps/slocate.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0) -/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if deleted file mode 100644 index b7505a0b8..000000000 --- a/policy/modules/apps/slocate.if +++ /dev/null @@ -1,41 +0,0 @@ -## Update database for mlocate - -######################################## -## -## Create the locate log with append mode. -## -## -## -## Domain allowed access. -## -## -# -interface(`slocate_create_append_log',` - gen_require(` - type locate_log_t; - ') - - logging_search_logs($1) - create_files_pattern($1, locate_log_t, locate_log_t) - append_files_pattern($1, locate_log_t, locate_log_t) -') - -######################################## -## -## Read locate lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`locate_read_lib_files',` - gen_require(` - type locate_var_lib_t; - ') - - read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) - allow $1 locate_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te deleted file mode 100644 index a225c02ce..000000000 --- a/policy/modules/apps/slocate.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(slocate, 1.11.0) - -################################# -# -# Declarations -# - -type locate_t; -type locate_exec_t; -init_system_domain(locate_t, locate_exec_t) - -type locate_log_t; -logging_log_file(locate_log_t) - -type locate_var_lib_t; -files_type(locate_var_lib_t) - -######################################## -# -# Local policy -# - -allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; -allow locate_t self:process { execmem execheap execstack signal }; -allow locate_t self:fifo_file rw_fifo_file_perms; -allow locate_t self:unix_stream_socket create_socket_perms; - -manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) -manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) - -kernel_read_system_state(locate_t) -kernel_dontaudit_search_network_state(locate_t) -kernel_dontaudit_search_sysctl(locate_t) - -corecmd_exec_bin(locate_t) - -dev_getattr_all_blk_files(locate_t) -dev_getattr_all_chr_files(locate_t) - -files_list_all(locate_t) -files_dontaudit_read_all_symlinks(locate_t) -files_getattr_all_files(locate_t) -files_getattr_all_pipes(locate_t) -files_getattr_all_sockets(locate_t) -files_read_etc_runtime_files(locate_t) -files_read_etc_files(locate_t) - -fs_getattr_all_fs(locate_t) -fs_getattr_all_files(locate_t) -fs_getattr_all_pipes(locate_t) -fs_getattr_all_symlinks(locate_t) -fs_getattr_all_blk_files(locate_t) -fs_getattr_all_chr_files(locate_t) -fs_list_all(locate_t) -fs_list_inotifyfs(locate_t) -fs_read_noxattr_fs_symlinks(locate_t) - -# getpwnam -auth_use_nsswitch(locate_t) - -miscfiles_read_localization(locate_t) - -ifdef(`enable_mls',` - # On MLS machines will not be allowed to getattr Anything but SystemLow - files_dontaudit_getattr_all_dirs(locate_t) -') - -optional_policy(` - cron_system_entry(locate_t, locate_exec_t) -') diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc deleted file mode 100644 index b07ee1968..000000000 --- a/policy/modules/apps/telepathy.fc +++ /dev/null @@ -1,18 +0,0 @@ -HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) -HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) -HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) -HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) -HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) - -/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) -/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) -/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) -/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) -/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) -/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) -/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) -/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if deleted file mode 100644 index 3cfb12804..000000000 --- a/policy/modules/apps/telepathy.if +++ /dev/null @@ -1,181 +0,0 @@ -## Telepathy communications framework. - -####################################### -## -## Creates basic types for telepathy -## domain -## -## -## -## Prefix for the domain. -## -## -# -# -template(`telepathy_domain_template',` - - gen_require(` - attribute telepathy_domain; - attribute telepathy_executable; - ') - - type telepathy_$1_t, telepathy_domain; - type telepathy_$1_exec_t, telepathy_executable; - application_domain(telepathy_$1_t, telepathy_$1_exec_t) - ubac_constrained(telepathy_$1_t) - - type telepathy_$1_tmp_t; - files_tmp_file(telepathy_$1_tmp_t) - ubac_constrained(telepathy_$1_tmp_t) -') - -####################################### -## -## Role access for telepathy domains -### that executes via dbus-session -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`telepathy_role', ` - gen_require(` - attribute telepathy_domain; - type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; - type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; - type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; - type telepathy_sofiasip_exec_t, telepathy_idle_exec_t; - type telepathy_logger_t, telepathy_logger_exec_t; - type telepathy_mission_control_exec_t, telepathy_salut_exec_t; - type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; - type telepathy_msn_exec_t; - ') - - role $1 types telepathy_domain; - - allow $2 telepathy_domain:process signal_perms; - ps_process_pattern($2, telepathy_domain) - - telepathy_gabble_stream_connect($2) - telepathy_msn_stream_connect($2) - telepathy_salut_stream_connect($2) - - dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) - dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) - dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) - dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t) - dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) - dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) - dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) - dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) - dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) -') - -######################################## -## -## Stream connect to Telepathy Gabble -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_gabble_stream_connect', ` - gen_require(` - type telepathy_gabble_t, telepathy_gabble_tmp_t; - ') - - stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) - files_search_tmp($1) -') - -######################################## -## -## Send DBus messages to and from -## Telepathy Gabble. -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_gabble_dbus_chat', ` - gen_require(` - type telepathy_gabble_t; - class dbus send_msg; - ') - - allow $1 telepathy_gabble_t:dbus send_msg; - allow telepathy_gabble_t $1:dbus send_msg; -') - -######################################## -## -## Read telepathy mission control state. -## -## -## -## Prefix to be used. -## -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_mission_control_read_state',` - gen_require(` - type telepathy_mission_control_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, telepathy_mission_control_t) -') - -####################################### -## -## Stream connect to telepathy MSN managers -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_msn_stream_connect', ` - gen_require(` - type telepathy_msn_t, telepathy_msn_tmp_t; - ') - - stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) - files_search_tmp($1) -') - -######################################## -## -## Stream connect to Telepathy Salut -## -## -## -## Domain allowed access. -## -## -# -interface(`telepathy_salut_stream_connect', ` - gen_require(` - type telepathy_salut_t, telepathy_salut_tmp_t; - ') - - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) - files_search_tmp($1) -') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te deleted file mode 100644 index 73311c2cc..000000000 --- a/policy/modules/apps/telepathy.te +++ /dev/null @@ -1,380 +0,0 @@ -policy_module(telepathy, 1.1.0) - -######################################## -# -# Declarations. -# - -## -##

-## Allow the Telepathy connection managers -## to connect to any generic TCP port. -##

-## -gen_tunable(telepathy_tcp_connect_generic_network_ports, false) - -## -##

-## Allow the Telepathy connection managers -## to connect to any network port. -##

-## -gen_tunable(telepathy_connect_all_ports, false) - -attribute telepathy_domain; -attribute telepathy_executable; - -telepathy_domain_template(gabble) - -type telepathy_gabble_cache_home_t; -userdom_user_home_content(telepathy_gabble_cache_home_t) - -telepathy_domain_template(idle) -telepathy_domain_template(logger) - -type telepathy_logger_cache_home_t; -userdom_user_home_content(telepathy_logger_cache_home_t) - -type telepathy_logger_data_home_t; -userdom_user_home_content(telepathy_logger_data_home_t) - -telepathy_domain_template(mission_control) - -type telepathy_mission_control_home_t; -userdom_user_home_content(telepathy_mission_control_home_t) - -type telepathy_mission_control_cache_home_t; -userdom_user_home_content(telepathy_mission_control_cache_home_t) - -telepathy_domain_template(msn) -telepathy_domain_template(salut) -telepathy_domain_template(sofiasip) -telepathy_domain_template(stream_engine) -telepathy_domain_template(sunshine) - -type telepathy_sunshine_home_t; -userdom_user_home_content(telepathy_sunshine_home_t) - -####################################### -# -# Telepathy Gabble local policy. -# - -allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms; -allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; - -manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) -manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) -files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) - -corenet_all_recvfrom_netlabel(telepathy_gabble_t) -corenet_all_recvfrom_unlabeled(telepathy_gabble_t) -corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) -corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) -corenet_tcp_connect_http_port(telepathy_gabble_t) -corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) -corenet_tcp_connect_vnc_port(telepathy_gabble_t) -corenet_sendrecv_http_client_packets(telepathy_gabble_t) -corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) -corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) - -dev_read_rand(telepathy_gabble_t) - -files_read_config_files(telepathy_gabble_t) -files_read_usr_files(telepathy_gabble_t) - -fs_getattr_all_fs(telepathy_gabble_t) - -miscfiles_read_all_certs(telepathy_gabble_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_tcp_connect_all_ports(telepathy_gabble_t) - corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) - corenet_udp_sendrecv_all_ports(telepathy_gabble_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_tcp_connect_generic_port(telepathy_gabble_t) - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_gabble_t) - fs_manage_nfs_files(telepathy_gabble_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) -') - -####################################### -# -# Telepathy Idle local policy. -# - -corenet_all_recvfrom_netlabel(telepathy_idle_t) -corenet_all_recvfrom_unlabeled(telepathy_idle_t) -corenet_tcp_sendrecv_generic_if(telepathy_idle_t) -corenet_tcp_sendrecv_generic_node(telepathy_idle_t) -corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) -corenet_tcp_connect_ircd_port(telepathy_idle_t) -corenet_sendrecv_ircd_client_packets(telepathy_idle_t) - -dev_read_rand(telepathy_idle_t) - -files_read_etc_files(telepathy_idle_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_tcp_connect_all_ports(telepathy_idle_t) - corenet_tcp_sendrecv_all_ports(telepathy_idle_t) - corenet_udp_sendrecv_all_ports(telepathy_idle_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_tcp_connect_generic_port(telepathy_idle_t) - corenet_sendrecv_generic_client_packets(telepathy_idle_t) -') - -####################################### -# -# Telepathy Logger local policy. -# - -allow telepathy_logger_t self:unix_stream_socket create_socket_perms; - -manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) - -manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) -manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) - -files_read_etc_files(telepathy_logger_t) -files_read_usr_files(telepathy_logger_t) -files_search_pids(telepathy_logger_t) - -fs_getattr_all_fs(telepathy_logger_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_logger_t) - fs_manage_nfs_files(telepathy_logger_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_logger_t) - fs_manage_cifs_files(telepathy_logger_t) -') - -####################################### -# -# Telepathy Mission-Control local policy. -# - -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) - -dev_read_rand(telepathy_mission_control_t) - -fs_getattr_all_fs(telepathy_mission_control_t) - -files_read_etc_files(telepathy_mission_control_t) -files_read_usr_files(telepathy_mission_control_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_mission_control_t) - fs_manage_nfs_files(telepathy_mission_control_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_mission_control_t) - fs_manage_cifs_files(telepathy_mission_control_t) -') - -####################################### -# -# Telepathy Butterfly and Haze local policy. -# - -allow telepathy_msn_t self:process setsched; -allow telepathy_msn_t self:unix_dgram_socket { write create connect }; - -manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) -userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) - -corenet_all_recvfrom_netlabel(telepathy_msn_t) -corenet_all_recvfrom_unlabeled(telepathy_msn_t) -corenet_tcp_sendrecv_generic_if(telepathy_msn_t) -corenet_tcp_sendrecv_generic_node(telepathy_msn_t) -corenet_tcp_bind_generic_node(telepathy_msn_t) -corenet_tcp_connect_http_port(telepathy_msn_t) -corenet_tcp_connect_mmcc_port(telepathy_msn_t) -corenet_tcp_connect_msnp_port(telepathy_msn_t) -corenet_tcp_connect_sip_port(telepathy_msn_t) -corenet_sendrecv_http_client_packets(telepathy_msn_t) -corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) -corenet_sendrecv_msnp_client_packets(telepathy_msn_t) - -corecmd_exec_bin(telepathy_msn_t) -corecmd_exec_shell(telepathy_msn_t) -corecmd_read_bin_symlinks(telepathy_msn_t) - -files_read_etc_files(telepathy_msn_t) -files_read_usr_files(telepathy_msn_t) - -libs_exec_ldconfig(telepathy_msn_t) - -logging_send_syslog_msg(telepathy_msn_t) - -miscfiles_read_all_certs(telepathy_msn_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_tcp_connect_all_ports(telepathy_msn_t) - corenet_tcp_sendrecv_all_ports(telepathy_msn_t) - corenet_udp_sendrecv_all_ports(telepathy_msn_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_tcp_connect_generic_port(telepathy_msn_t) - corenet_sendrecv_generic_client_packets(telepathy_msn_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_msn_t) - - optional_policy(` - networkmanager_dbus_chat(telepathy_msn_t) - ') -') - -####################################### -# -# Telepathy Salut local policy. -# - -allow telepathy_salut_t self:tcp_socket create_stream_socket_perms; - -manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) -files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) - -corenet_all_recvfrom_netlabel(telepathy_salut_t) -corenet_all_recvfrom_unlabeled(telepathy_salut_t) -corenet_tcp_sendrecv_generic_if(telepathy_salut_t) -corenet_tcp_sendrecv_generic_node(telepathy_salut_t) -corenet_tcp_bind_generic_node(telepathy_salut_t) -corenet_tcp_bind_presence_port(telepathy_salut_t) -corenet_tcp_connect_presence_port(telepathy_salut_t) -corenet_sendrecv_presence_server_packets(telepathy_salut_t) - -files_read_etc_files(telepathy_salut_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_tcp_connect_all_ports(telepathy_salut_t) - corenet_tcp_sendrecv_all_ports(telepathy_salut_t) - corenet_udp_sendrecv_all_ports(telepathy_salut_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_tcp_connect_generic_port(telepathy_salut_t) - corenet_sendrecv_generic_client_packets(telepathy_salut_t) -') - -optional_policy(` - dbus_system_bus_client(telepathy_salut_t) - - optional_policy(` - avahi_dbus_chat(telepathy_salut_t) - ') -') - -####################################### -# -# Telepathy Sofiasip local policy. -# - -allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; -allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; - -corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) -corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) -corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) -corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) -corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) -corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t) -corenet_tcp_bind_generic_node(telepathy_sofiasip_t) -corenet_raw_bind_generic_node(telepathy_sofiasip_t) -corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) -corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) -corenet_tcp_connect_sip_port(telepathy_sofiasip_t) -corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) - -kernel_request_load_module(telepathy_sofiasip_t) - -tunable_policy(`telepathy_connect_all_ports',` - corenet_tcp_connect_all_ports(telepathy_sofiasip_t) - corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) - corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t) -') - -tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_tcp_connect_generic_port(telepathy_sofiasip_t) - corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) -') - -####################################### -# -# Telepathy Sunshine local policy. -# - -manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) -manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) -userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) -userdom_search_user_home_dirs(telepathy_sunshine_t) - -manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) -exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) -files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) - -corecmd_exec_bin(telepathy_sunshine_t) - -files_read_etc_files(telepathy_sunshine_t) -files_read_usr_files(telepathy_sunshine_t) - -optional_policy(` - xserver_read_xdm_pid(telepathy_sunshine_t) - xserver_stream_connect(telepathy_sunshine_t) -') - -####################################### -# -# telepathy domains common policy -# - -allow telepathy_domain self:process { getsched signal sigkill }; -allow telepathy_domain self:fifo_file rw_fifo_file_perms; -allow telepathy_domain self:tcp_socket create_socket_perms; -allow telepathy_domain self:udp_socket create_socket_perms; - -dev_read_urand(telepathy_domain) - -kernel_read_system_state(telepathy_domain) - -fs_search_auto_mountpoints(telepathy_domain) - -auth_use_nsswitch(telepathy_domain) - -miscfiles_read_localization(telepathy_domain) - -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(telepathy_domain) -') - -optional_policy(` - xserver_rw_xdm_pipes(telepathy_domain) -') diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc deleted file mode 100644 index fb43a7b4d..000000000 --- a/policy/modules/apps/thunderbird.fc +++ /dev/null @@ -1,6 +0,0 @@ -# -# /usr -# -/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) - -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if deleted file mode 100644 index a76e9f943..000000000 --- a/policy/modules/apps/thunderbird.if +++ /dev/null @@ -1,63 +0,0 @@ -## Thunderbird email client - -######################################## -## -## Role access for thunderbird -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`thunderbird_role',` - gen_require(` - type thunderbird_t, thunderbird_exec_t; - type thunderbird_home_t, thunderbird_tmpfs_t; - ') - - role $1 types thunderbird_t; - - domain_auto_trans($2, thunderbird_exec_t, thunderbird_t) - allow $2 thunderbird_t:fd use; - allow $2 thunderbird_t:shm { associate getattr }; - allow $2 thunderbird_t:unix_stream_socket connectto; - allow thunderbird_t $2:fd use; - allow thunderbird_t $2:process sigchld; - allow thunderbird_t $2:unix_stream_socket connectto; - - # allow ps to show thunderbird and allow the user to kill it - ps_process_pattern($2, thunderbird_t) - allow $2 thunderbird_t:process signal; - - # Access ~/.thunderbird - manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) - manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t) - relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) -') - -######################################## -## -## Run thunderbird in the user thunderbird domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`thunderbird_domtrans',` - gen_require(` - type thunderbird_t, thunderbird_exec_t; - ') - - domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) -') diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te deleted file mode 100644 index f50789e4f..000000000 --- a/policy/modules/apps/thunderbird.te +++ /dev/null @@ -1,210 +0,0 @@ -policy_module(thunderbird, 2.2.0) - -######################################## -# -# Declarations -# - -type thunderbird_t; -type thunderbird_exec_t; -typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; -typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; -application_domain(thunderbird_t, thunderbird_exec_t) -ubac_constrained(thunderbird_t) - -type thunderbird_home_t; -typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; -typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; -userdom_user_home_content(thunderbird_home_t) - -type thunderbird_tmpfs_t; -typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t }; -typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; -files_tmpfs_file(thunderbird_tmpfs_t) -ubac_constrained(thunderbird_tmpfs_t) - -######################################## -# -# Local policy -# - -allow thunderbird_t self:capability sys_nice; -allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; -allow thunderbird_t self:fifo_file { ioctl read write getattr }; -allow thunderbird_t self:unix_dgram_socket { create connect }; -allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; -allow thunderbird_t self:tcp_socket create_socket_perms; -allow thunderbird_t self:shm { read write create destroy unix_read unix_write }; - -# Access ~/.thunderbird -manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) -userdom_search_user_home_dirs(thunderbird_t) - -manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) -fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -# Allow netstat -kernel_read_network_state(thunderbird_t) -kernel_read_net_sysctls(thunderbird_t) -kernel_read_system_state(thunderbird_t) - -# Startup shellscript -corecmd_exec_shell(thunderbird_t) - -corenet_all_recvfrom_unlabeled(thunderbird_t) -corenet_all_recvfrom_netlabel(thunderbird_t) -corenet_tcp_sendrecv_generic_if(thunderbird_t) -corenet_tcp_sendrecv_generic_node(thunderbird_t) -corenet_tcp_sendrecv_ipp_port(thunderbird_t) -corenet_tcp_sendrecv_ldap_port(thunderbird_t) -corenet_tcp_sendrecv_innd_port(thunderbird_t) -corenet_tcp_sendrecv_smtp_port(thunderbird_t) -corenet_tcp_sendrecv_pop_port(thunderbird_t) -corenet_tcp_sendrecv_http_port(thunderbird_t) -corenet_tcp_connect_ipp_port(thunderbird_t) -corenet_tcp_connect_ldap_port(thunderbird_t) -corenet_tcp_connect_innd_port(thunderbird_t) -corenet_tcp_connect_smtp_port(thunderbird_t) -corenet_tcp_connect_pop_port(thunderbird_t) -corenet_tcp_connect_http_port(thunderbird_t) -corenet_sendrecv_ipp_client_packets(thunderbird_t) -corenet_sendrecv_ldap_client_packets(thunderbird_t) -corenet_sendrecv_innd_client_packets(thunderbird_t) -corenet_sendrecv_smtp_client_packets(thunderbird_t) -corenet_sendrecv_pop_client_packets(thunderbird_t) -corenet_sendrecv_http_client_packets(thunderbird_t) - -dev_read_urand(thunderbird_t) -dev_dontaudit_search_sysfs(thunderbird_t) - -files_list_tmp(thunderbird_t) -files_read_usr_files(thunderbird_t) -files_read_etc_files(thunderbird_t) -files_read_etc_runtime_files(thunderbird_t) -files_read_var_files(thunderbird_t) -files_read_var_symlinks(thunderbird_t) -files_dontaudit_getattr_all_tmp_files(thunderbird_t) -files_dontaudit_getattr_boot_dirs(thunderbird_t) -files_dontaudit_getattr_lost_found_dirs(thunderbird_t) -files_dontaudit_search_mnt(thunderbird_t) - -fs_getattr_xattr_fs(thunderbird_t) -fs_list_inotifyfs(thunderbird_t) -# Access ~/.thunderbird -fs_search_auto_mountpoints(thunderbird_t) - -auth_use_nsswitch(thunderbird_t) - -miscfiles_read_fonts(thunderbird_t) -miscfiles_read_localization(thunderbird_t) - -userdom_manage_user_tmp_dirs(thunderbird_t) -userdom_read_user_tmp_files(thunderbird_t) -userdom_manage_user_tmp_sockets(thunderbird_t) -# .kde/....gtkrc -userdom_read_user_home_content_files(thunderbird_t) - -xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) -xserver_read_xdm_tmp_files(thunderbird_t) -xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) - -# Access ~/.thunderbird -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(thunderbird_t) - fs_manage_nfs_files(thunderbird_t) - fs_manage_nfs_symlinks(thunderbird_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(thunderbird_t) - fs_manage_cifs_files(thunderbird_t) - fs_manage_cifs_symlinks(thunderbird_t) -') - -tunable_policy(`mail_read_content && use_nfs_home_dirs',` - files_list_home(thunderbird_t) - - fs_list_auto_mountpoints(thunderbird_t) - fs_read_nfs_files(thunderbird_t) - fs_read_nfs_symlinks(thunderbird_t) -',` - files_dontaudit_list_home(thunderbird_t) - - fs_dontaudit_list_auto_mountpoints(thunderbird_t) - fs_dontaudit_list_nfs(thunderbird_t) - fs_dontaudit_read_nfs_files(thunderbird_t) -') - -tunable_policy(`mail_read_content && use_samba_home_dirs',` - files_list_home(thunderbird_t) - - fs_list_auto_mountpoints(thunderbird_t) - fs_read_cifs_files(thunderbird_t) - fs_read_cifs_symlinks(thunderbird_t) -',` - files_dontaudit_list_home(thunderbird_t) - - fs_dontaudit_list_auto_mountpoints(thunderbird_t) - fs_dontaudit_read_cifs_files(thunderbird_t) - fs_dontaudit_list_cifs(thunderbird_t) -') - -tunable_policy(`mail_read_content',` - userdom_list_user_tmp(thunderbird_t) - userdom_read_user_tmp_files(thunderbird_t) - userdom_read_user_tmp_symlinks(thunderbird_t) - userdom_search_user_home_dirs(thunderbird_t) - userdom_read_user_home_content_files(thunderbird_t) - - ifndef(`enable_mls',` - fs_search_removable(thunderbird_t) - fs_read_removable_files(thunderbird_t) - fs_read_removable_symlinks(thunderbird_t) - ') -',` - files_dontaudit_list_tmp(thunderbird_t) - files_dontaudit_list_home(thunderbird_t) - - fs_dontaudit_list_removable(thunderbird_t) - fs_dontaudit_read_removable_files(thunderbird_t) - - userdom_dontaudit_list_user_tmp(thunderbird_t) - userdom_dontaudit_read_user_tmp_files(thunderbird_t) - userdom_dontaudit_list_user_home_dirs(thunderbird_t) - userdom_dontaudit_read_user_home_content_files(thunderbird_t) -') - -optional_policy(` - dbus_system_bus_client(thunderbird_t) - dbus_session_bus_client(thunderbird_t) -') - -optional_policy(` - cups_read_rw_config(thunderbird_t) - cups_dbus_chat(thunderbird_t) -') - -optional_policy(` - gnome_stream_connect_gconf(thunderbird_t) - gnome_domtrans_gconfd(thunderbird_t) - gnome_manage_config(thunderbird_t) -') - -optional_policy(` - gpg_domtrans(thunderbird_t) -') - -optional_policy(` - lpd_domtrans_lpr(thunderbird_t) -') - -optional_policy(` - mozilla_read_user_home_files(thunderbird_t) - mozilla_domtrans(thunderbird_t) - mozilla_dbus_chat(thunderbird_t) -') diff --git a/policy/modules/apps/tvtime.fc b/policy/modules/apps/tvtime.fc deleted file mode 100644 index 8698a6137..000000000 --- a/policy/modules/apps/tvtime.fc +++ /dev/null @@ -1,5 +0,0 @@ -# -# /usr -# -/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) - diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if deleted file mode 100644 index 8d89f211b..000000000 --- a/policy/modules/apps/tvtime.if +++ /dev/null @@ -1,40 +0,0 @@ -## tvtime - a high quality television application - -######################################## -## -## Role access for tvtime -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`tvtime_role',` - gen_require(` - type tvtime_t, tvtime_exec_t; - type tvtime_home_t, tvtime_tmpfs_t; - ') - - role $1 types tvtime_t; - - # Type transition - domtrans_pattern($2, tvtime_exec_t, tvtime_t) - - # X access, Home files - manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t) - manage_files_pattern($2, tvtime_home_t, tvtime_home_t) - manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_files_pattern($2, tvtime_home_t, tvtime_home_t) - relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, tvtime_t) - allow $2 tvtime_t:process signal_perms; -') diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te deleted file mode 100644 index 11fe4f26e..000000000 --- a/policy/modules/apps/tvtime.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(tvtime, 2.1.0) - -######################################## -# -# Declarations -# - -type tvtime_t; -type tvtime_exec_t; -typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; -typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; -application_domain(tvtime_t, tvtime_exec_t) -ubac_constrained(tvtime_t) - -type tvtime_home_t alias tvtime_rw_t; -typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; -typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; -userdom_user_home_content(tvtime_home_t) - -type tvtime_tmp_t; -typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t }; -typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t }; -files_tmp_file(tvtime_tmp_t) -ubac_constrained(tvtime_tmp_t) - -type tvtime_tmpfs_t; -typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t }; -typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t }; -files_tmpfs_file(tvtime_tmpfs_t) -ubac_constrained(tvtime_tmpfs_t) - -######################################## -# -# Local policy -# - -allow tvtime_t self:capability { setuid sys_nice sys_resource }; -allow tvtime_t self:process setsched; -allow tvtime_t self:unix_dgram_socket rw_socket_perms; -allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; - -# X access, Home files -manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) - -manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) -manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) -files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir }) - -manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t) -fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file }) - -kernel_read_all_sysctls(tvtime_t) -kernel_get_sysvipc_info(tvtime_t) - -dev_read_urand(tvtime_t) -dev_read_realtime_clock(tvtime_t) -dev_read_sound(tvtime_t) - -files_read_usr_files(tvtime_t) -files_search_pids(tvtime_t) -# Read /etc/tvtime -files_read_etc_files(tvtime_t) - -# X access, Home files -fs_search_auto_mountpoints(tvtime_t) - -miscfiles_read_localization(tvtime_t) -miscfiles_read_fonts(tvtime_t) - -userdom_use_user_terminals(tvtime_t) -userdom_read_user_home_content_files(tvtime_t) - -# X access, Home files -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(tvtime_t) - fs_manage_nfs_files(tvtime_t) - fs_manage_nfs_symlinks(tvtime_t) -') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(tvtime_t) - fs_manage_cifs_files(tvtime_t) - fs_manage_cifs_symlinks(tvtime_t) -') - -optional_policy(` - xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) -') diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc deleted file mode 100644 index b8b9520c3..000000000 --- a/policy/modules/apps/uml.fc +++ /dev/null @@ -1,14 +0,0 @@ -# -# HOME_DIR/ -# -HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) - -# -# /usr -# -/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) - -# -# /var -# -/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if deleted file mode 100644 index d2ab7cba7..000000000 --- a/policy/modules/apps/uml.if +++ /dev/null @@ -1,99 +0,0 @@ -## Policy for UML - -######################################## -## -## Role access for uml -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`uml_role',` - gen_require(` - type uml_t, uml_exec_t; - type uml_ro_t, uml_rw_t, uml_tmp_t; - type uml_devpts_t, uml_tmpfs_t; - ') - - role $1 types uml_t; - - # Transition from the user domain to this domain. - domtrans_pattern($2, uml_exec_t, uml_t) - - # for mconsole - allow $2 uml_t:unix_dgram_socket sendto; - allow uml_t $2:unix_dgram_socket sendto; - - # allow ps, ptrace, signal - ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; - - allow $2 uml_ro_t:dir list_dir_perms; - read_files_pattern($2, uml_ro_t, uml_ro_t) - read_lnk_files_pattern($2, uml_ro_t, uml_ro_t) - - manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) - - manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) - - manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t) - manage_files_pattern($2, uml_tmp_t, uml_tmp_t) - manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t) - manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t) -') - -######################################## -## -## Set attributes on uml utility socket files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uml_setattr_util_sockets',` - gen_require(` - type uml_switch_var_run_t; - ') - - allow $1 uml_switch_var_run_t:sock_file setattr; -') - -######################################## -## -## Manage uml utility files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uml_manage_util_files',` - gen_require(` - type uml_switch_var_run_t; - ') - - manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) - manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) -') diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te deleted file mode 100644 index 2df1343ee..000000000 --- a/policy/modules/apps/uml.te +++ /dev/null @@ -1,191 +0,0 @@ -policy_module(uml, 2.1.0) - -######################################## -# -# Declarations -# - -type uml_t; -type uml_exec_t; -typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; -typealias uml_t alias { auditadm_uml_t secadm_uml_t }; -application_domain(uml_t, uml_exec_t) -ubac_constrained(uml_t) - -type uml_ro_t; -typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; -typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; -userdom_user_home_content(uml_ro_t) - -type uml_rw_t; -typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t }; -typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t }; -userdom_user_home_content(uml_rw_t) - -type uml_tmp_t; -typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; -typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t }; -files_tmp_file(uml_tmp_t) -ubac_constrained(uml_tmp_t) - -type uml_tmpfs_t; -typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t }; -typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t }; -files_tmpfs_file(uml_tmpfs_t) -ubac_constrained(uml_tmpfs_t) - -type uml_devpts_t; -typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t }; -typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t }; -term_pty(uml_devpts_t) -ubac_constrained(uml_devpts_t) - -type uml_switch_t; -type uml_switch_exec_t; -init_daemon_domain(uml_switch_t, uml_switch_exec_t) - -type uml_switch_var_run_t; -files_pid_file(uml_switch_var_run_t) - -######################################## -# -# Local policy -# - -allow uml_t self:fifo_file rw_fifo_file_perms; -allow uml_t self:process { signal_perms ptrace }; -allow uml_t self:unix_stream_socket create_stream_socket_perms; -allow uml_t self:unix_dgram_socket create_socket_perms; -# Use the network. -allow uml_t self:tcp_socket create_stream_socket_perms; -allow uml_t self:udp_socket create_socket_perms; -allow uml_t self:tun_socket create; -# for mconsole -allow uml_t self:unix_dgram_socket sendto; - -# allow the UML thing to happen -allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr }; -term_create_pty(uml_t, uml_devpts_t) - -manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t) -manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t) -files_tmp_filetrans(uml_t, uml_tmp_t, { file dir }) -can_exec(uml_t, uml_tmp_t) - -manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) -fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file }) -can_exec(uml_t, uml_tmpfs_t) - -# access config files -allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms; -read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) -read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) - -manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t) -manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t) -userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file }) - -can_exec(uml_t, { uml_exec_t uml_exec_t }) - -kernel_read_system_state(uml_t) -# for SKAS - need something better -kernel_write_proc_files(uml_t) - -# for xterm -corecmd_exec_bin(uml_t) - -corenet_all_recvfrom_unlabeled(uml_t) -corenet_all_recvfrom_netlabel(uml_t) -corenet_tcp_sendrecv_generic_if(uml_t) -corenet_udp_sendrecv_generic_if(uml_t) -corenet_tcp_sendrecv_generic_node(uml_t) -corenet_udp_sendrecv_generic_node(uml_t) -corenet_tcp_sendrecv_all_ports(uml_t) -corenet_udp_sendrecv_all_ports(uml_t) -corenet_tcp_connect_all_ports(uml_t) -corenet_sendrecv_all_client_packets(uml_t) -corenet_rw_tun_tap_dev(uml_t) - -domain_use_interactive_fds(uml_t) - -# for xterm -files_read_etc_files(uml_t) -files_dontaudit_read_etc_runtime_files(uml_t) -# putting uml data under /var is usual... -files_search_var(uml_t) - -fs_getattr_xattr_fs(uml_t) - -init_read_utmp(uml_t) -init_dontaudit_write_utmp(uml_t) - -# for xterm -libs_exec_lib_files(uml_t) - -# Inherit and use descriptors from newrole. -seutil_use_newrole_fds(uml_t) - -# Use the network. -sysnet_read_config(uml_t) - -userdom_use_user_terminals(uml_t) -userdom_attach_admin_tun_iface(uml_t) - -optional_policy(` - nis_use_ypbind(uml_t) -') - -optional_policy(` - virt_attach_tun_iface(uml_t) -') - -######################################## -# -# Local policy -# - -dontaudit uml_switch_t self:capability sys_tty_config; -allow uml_switch_t self:process signal_perms; -allow uml_switch_t self:unix_dgram_socket create_socket_perms; -allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file) - -kernel_read_kernel_sysctls(uml_switch_t) -kernel_list_proc(uml_switch_t) -kernel_read_proc_symlinks(uml_switch_t) - -dev_read_sysfs(uml_switch_t) - -domain_use_interactive_fds(uml_switch_t) - -fs_getattr_all_fs(uml_switch_t) -fs_search_auto_mountpoints(uml_switch_t) - -term_dontaudit_use_console(uml_switch_t) - -init_use_fds(uml_switch_t) -init_use_script_ptys(uml_switch_t) - -logging_send_syslog_msg(uml_switch_t) - -miscfiles_read_localization(uml_switch_t) - -userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) -userdom_dontaudit_search_user_home_dirs(uml_switch_t) - -optional_policy(` - seutil_sigchld_newrole(uml_switch_t) -') - -optional_policy(` - udev_read_db(uml_switch_t) -') diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc deleted file mode 100644 index e70b0e8b0..000000000 --- a/policy/modules/apps/userhelper.fc +++ /dev/null @@ -1,9 +0,0 @@ -# -# /etc -# -/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) - -# -# /usr -# -/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if deleted file mode 100644 index ced285aaa..000000000 --- a/policy/modules/apps/userhelper.if +++ /dev/null @@ -1,258 +0,0 @@ -## SELinux utility to run a shell with a new role - -####################################### -## -## The role template for the userhelper module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The user role. -## -## -## -## -## The user domain associated with the role. -## -## -# -template(`userhelper_role_template',` - gen_require(` - attribute userhelper_type; - type userhelper_exec_t, userhelper_conf_t; - ') - - ######################################## - # - # Declarations - # - - type $1_userhelper_t, userhelper_type; - application_domain($1_userhelper_t, userhelper_exec_t) - domain_role_change_exemption($1_userhelper_t) - domain_obj_id_change_exemption($1_userhelper_t) - domain_interactive_fd($1_userhelper_t) - domain_subj_id_change_exemption($1_userhelper_t) - ubac_constrained($1_userhelper_t) - role $2 types $1_userhelper_t; - - ######################################## - # - # Local policy - # - allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; - allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_userhelper_t self:process setexec; - allow $1_userhelper_t self:fd use; - allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; - allow $1_userhelper_t self:shm create_shm_perms; - allow $1_userhelper_t self:sem create_sem_perms; - allow $1_userhelper_t self:msgq create_msgq_perms; - allow $1_userhelper_t self:msg { send receive }; - allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; - allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; - allow $1_userhelper_t self:unix_dgram_socket sendto; - allow $1_userhelper_t self:unix_stream_socket connectto; - allow $1_userhelper_t self:sock_file read_sock_file_perms; - - #Transition to the derived domain. - domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) - - allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; - rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) - - can_exec($1_userhelper_t, userhelper_exec_t) - - dontaudit $3 $1_userhelper_t:process signal; - - kernel_read_all_sysctls($1_userhelper_t) - kernel_getattr_debugfs($1_userhelper_t) - kernel_read_system_state($1_userhelper_t) - - # Execute shells - corecmd_exec_shell($1_userhelper_t) - # By default, revert to the calling domain when a program is executed - corecmd_bin_domtrans($1_userhelper_t, $3) - - # Inherit descriptors from the current session. - domain_use_interactive_fds($1_userhelper_t) - # for when the user types "exec userhelper" at the command line - domain_sigchld_interactive_fds($1_userhelper_t) - - dev_read_urand($1_userhelper_t) - # Read /dev directories and any symbolic links. - dev_list_all_dev_nodes($1_userhelper_t) - - files_list_var_lib($1_userhelper_t) - # Read the /etc/security/default_type file - files_read_etc_files($1_userhelper_t) - # Read /var. - files_read_var_files($1_userhelper_t) - files_read_var_symlinks($1_userhelper_t) - # for some PAM modules and for cwd - files_search_home($1_userhelper_t) - - fs_search_auto_mountpoints($1_userhelper_t) - fs_read_nfs_files($1_userhelper_t) - fs_read_nfs_symlinks($1_userhelper_t) - - # Allow $1_userhelper to obtain contexts to relabel TTYs - selinux_get_fs_mount($1_userhelper_t) - selinux_validate_context($1_userhelper_t) - selinux_compute_access_vector($1_userhelper_t) - selinux_compute_create_context($1_userhelper_t) - selinux_compute_relabel_context($1_userhelper_t) - selinux_compute_user_contexts($1_userhelper_t) - - # Read the devpts root directory. - term_list_ptys($1_userhelper_t) - # Relabel terminals. - term_relabel_all_ttys($1_userhelper_t) - term_relabel_all_ptys($1_userhelper_t) - # Access terminals. - term_use_all_ttys($1_userhelper_t) - term_use_all_ptys($1_userhelper_t) - - auth_domtrans_chk_passwd($1_userhelper_t) - auth_manage_pam_pid($1_userhelper_t) - auth_manage_var_auth($1_userhelper_t) - auth_search_pam_console_data($1_userhelper_t) - - # Inherit descriptors from the current session. - init_use_fds($1_userhelper_t) - # Write to utmp. - init_manage_utmp($1_userhelper_t) - init_pid_filetrans_utmp($1_userhelper_t) - - miscfiles_read_localization($1_userhelper_t) - - seutil_read_config($1_userhelper_t) - seutil_read_default_contexts($1_userhelper_t) - - # Allow $1_userhelper_t to transition to user domains. - userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) - userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) - - ifdef(`distro_redhat',` - optional_policy(` - # Allow transitioning to rpm_t, for up2date - rpm_domtrans($1_userhelper_t) - ') - ') - - optional_policy(` - logging_send_syslog_msg($1_userhelper_t) - ') - - optional_policy(` - nis_use_ypbind($1_userhelper_t) - ') - - optional_policy(` - nscd_socket_use($1_userhelper_t) - ') - - optional_policy(` - tunable_policy(`! secure_mode',` - #if we are not in secure mode then we can transition to sysadm_t - sysadm_bin_spec_domtrans($1_userhelper_t) - sysadm_entry_spec_domtrans($1_userhelper_t) - ') - ') -') - -######################################## -## -## Search the userhelper configuration directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_search_config',` - gen_require(` - type userhelper_conf_t; - ') - - allow $1 userhelper_conf_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search -## the userhelper configuration directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`userhelper_dontaudit_search_config',` - gen_require(` - type userhelper_conf_t; - ') - - dontaudit $1 userhelper_conf_t:dir search_dir_perms; -') - -######################################## -## -## Allow domain to use userhelper file descriptor. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_use_fd',` - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:fd use; -') - -######################################## -## -## Allow domain to send sigchld to userhelper. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_sigchld',` - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:process sigchld; -') - -######################################## -## -## Execute the userhelper program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`userhelper_exec',` - gen_require(` - type userhelper_exec_t; - ') - - can_exec($1, userhelper_exec_t) -') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te deleted file mode 100644 index 13b2cea26..000000000 --- a/policy/modules/apps/userhelper.te +++ /dev/null @@ -1,14 +0,0 @@ -policy_module(userhelper, 1.6.0) - -######################################## -# -# Declarations -# - -attribute userhelper_type; - -type userhelper_conf_t; -files_type(userhelper_conf_t) - -type userhelper_exec_t; -application_executable_file(userhelper_exec_t) diff --git a/policy/modules/apps/usernetctl.fc b/policy/modules/apps/usernetctl.fc deleted file mode 100644 index aa07e1e43..000000000 --- a/policy/modules/apps/usernetctl.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0) diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if deleted file mode 100644 index ba9b9d6ac..000000000 --- a/policy/modules/apps/usernetctl.if +++ /dev/null @@ -1,64 +0,0 @@ -## User network interface configuration helper - -######################################## -## -## Execute usernetctl in the usernetctl domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usernetctl_domtrans',` - gen_require(` - type usernetctl_t, usernetctl_exec_t; - ') - - domtrans_pattern($1, usernetctl_exec_t, usernetctl_t) -') - -######################################## -## -## Execute usernetctl in the usernetctl domain, and -## allow the specified role the usernetctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`usernetctl_run',` - gen_require(` - type usernetctl_t; - ') - - usernetctl_domtrans($1) - role $2 types usernetctl_t; - - sysnet_run_ifconfig(usernetctl_t, $2) - sysnet_run_dhcpc(usernetctl_t, $2) - - optional_policy(` - consoletype_run(usernetctl_t, $2) - ') - - optional_policy(` - iptables_run(usernetctl_t, $2) - ') - - optional_policy(` - modutils_run_insmod(usernetctl_t, $2) - ') - - optional_policy(` - ppp_run(usernetctl_t, $2) - ') -') diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te deleted file mode 100644 index 958681859..000000000 --- a/policy/modules/apps/usernetctl.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(usernetctl, 1.5.0) - -######################################## -# -# Declarations -# - -type usernetctl_t; -type usernetctl_exec_t; -application_domain(usernetctl_t, usernetctl_exec_t) -domain_interactive_fd(usernetctl_t) - -######################################## -# -# Local policy -# - -allow usernetctl_t self:capability { setuid setgid dac_override }; -allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow usernetctl_t self:fd use; -allow usernetctl_t self:fifo_file rw_fifo_file_perms; -allow usernetctl_t self:shm create_shm_perms; -allow usernetctl_t self:sem create_sem_perms; -allow usernetctl_t self:msgq create_msgq_perms; -allow usernetctl_t self:msg { send receive }; -allow usernetctl_t self:unix_dgram_socket create_socket_perms; -allow usernetctl_t self:unix_stream_socket create_stream_socket_perms; -allow usernetctl_t self:unix_dgram_socket sendto; -allow usernetctl_t self:unix_stream_socket connectto; - -can_exec(usernetctl_t, usernetctl_exec_t) - -kernel_read_system_state(usernetctl_t) -kernel_read_kernel_sysctls(usernetctl_t) - -corecmd_list_bin(usernetctl_t) -corecmd_exec_bin(usernetctl_t) -corecmd_exec_shell(usernetctl_t) - -domain_dontaudit_read_all_domains_state(usernetctl_t) - -files_read_etc_files(usernetctl_t) -files_exec_etc_files(usernetctl_t) -files_read_etc_runtime_files(usernetctl_t) -files_list_pids(usernetctl_t) -files_list_home(usernetctl_t) -files_read_usr_files(usernetctl_t) - -fs_search_auto_mountpoints(usernetctl_t) - -auth_use_nsswitch(usernetctl_t) - -logging_send_syslog_msg(usernetctl_t) - -miscfiles_read_localization(usernetctl_t) - -seutil_read_config(usernetctl_t) - -sysnet_read_config(usernetctl_t) - -userdom_use_user_terminals(usernetctl_t) - -optional_policy(` - hostname_exec(usernetctl_t) -') - -optional_policy(` - nis_use_ypbind(usernetctl_t) -') diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc deleted file mode 100644 index 621d5fdac..000000000 --- a/policy/modules/apps/vlock.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if deleted file mode 100644 index c5eeea08c..000000000 --- a/policy/modules/apps/vlock.if +++ /dev/null @@ -1,46 +0,0 @@ -## Lock one or more sessions on the Linux console. - -####################################### -## -## Execute vlock in the vlock domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vlock_domtrans',` - gen_require(` - type vlock_t, vlock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vlock_exec_t, vlock_t) -') - -######################################## -## -## Execute vlock in the vlock domain, and -## allow the specified role the vlock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed to access. -## -## -## -# -interface(`vlock_run',` - gen_require(` - type vlock_t; - ') - - vlock_domtrans($1) - role $2 types vlock_t; -') diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te deleted file mode 100644 index 25110934c..000000000 --- a/policy/modules/apps/vlock.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(vlock, 1.1.0) - -######################################## -# -# Declarations -# - -type vlock_t; -type vlock_exec_t; -application_domain(vlock_t, vlock_exec_t) - -######################################## -# -# Local policy -# - -# --enable-pam is recommended when configuring vlock, making it -# unnecessary to be a setuid program. -dontaudit vlock_t self:capability { setuid setgid }; -allow vlock_t self:fd use; -allow vlock_t self:fifo_file rw_fifo_file_perms; -allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow vlock_t self:unix_dgram_socket { create connect }; - -kernel_read_system_state(vlock_t) - -corecmd_list_bin(vlock_t) -corecmd_read_bin_symlinks(vlock_t) - -# Must call this interface otherwise PAM session will fail -# with message of "terminal=? res=failed" -domain_use_interactive_fds(vlock_t) - -files_dontaudit_search_home(vlock_t) -files_read_etc_files(vlock_t) - -# pam_tally2 module could be used by vlock for authentication, -# /var/log/tallylog's SL is usually s0, while the caller's SL could -# be higher than s0. -mls_file_write_all_levels(vlock_t) - -selinux_dontaudit_getattr_fs(vlock_t) - -auth_domtrans_chk_passwd(vlock_t) - -init_dontaudit_rw_utmp(vlock_t) - -logging_send_syslog_msg(vlock_t) - -miscfiles_read_localization(vlock_t) - -userdom_dontaudit_search_user_home_dirs(vlock_t) -userdom_use_user_terminals(vlock_t) diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc deleted file mode 100644 index f647c7e18..000000000 --- a/policy/modules/apps/vmware.fc +++ /dev/null @@ -1,71 +0,0 @@ -# -# HOME_DIR/ -# -HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) -HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0) -HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) - -# -# /etc -# -/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0) - -# -# /usr -# -/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) - -/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) -/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - -ifdef(`distro_redhat',` -/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -') - -/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) -/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) -/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - -/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) - -ifdef(`distro_gentoo',` -/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) -/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) -') - -/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) -/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) - -/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) -/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) -/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if deleted file mode 100644 index 853f5754b..000000000 --- a/policy/modules/apps/vmware.if +++ /dev/null @@ -1,104 +0,0 @@ -## VMWare Workstation virtual machines - -######################################## -## -## Role access for vmware -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`vmware_role',` - gen_require(` - type vmware_t, vmware_exec_t; - ') - - role $1 types vmware_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, vmware_exec_t, vmware_t) - - # allow ps to show vmware and allow the user to kill it - ps_process_pattern($2, vmware_t) - allow $2 vmware_t:process signal; -') - -######################################## -## -## Execute vmware host executables -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_exec_host',` - gen_require(` - type vmware_host_exec_t; - ') - - can_exec($1, vmware_host_exec_t) -') - -######################################## -## -## Read VMWare system configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_read_system_config',` - gen_require(` - type vmware_sys_conf_t; - ') - - allow $1 vmware_sys_conf_t:file { getattr read }; -') - -######################################## -## -## Append to VMWare system configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_append_system_config',` - gen_require(` - type vmware_sys_conf_t; - ') - - allow $1 vmware_sys_conf_t:file append; -') - -######################################## -## -## Append to VMWare log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vmware_append_log',` - gen_require(` - type vmware_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, vmware_log_t, vmware_log_t) -') diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te deleted file mode 100644 index 722e59f53..000000000 --- a/policy/modules/apps/vmware.te +++ /dev/null @@ -1,286 +0,0 @@ -policy_module(vmware, 2.4.0) - -######################################## -# -# Declarations -# - -# VMWare user program -type vmware_t; -type vmware_exec_t; -typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; -typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; -application_domain(vmware_t, vmware_exec_t) -ubac_constrained(vmware_t) - -type vmware_conf_t; -typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; -typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t }; -userdom_user_home_content(vmware_conf_t) - -type vmware_file_t; -typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t }; -typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t }; -userdom_user_home_content(vmware_file_t) - -# VMWare host programs -type vmware_host_t; -type vmware_host_exec_t; -init_daemon_domain(vmware_host_t, vmware_host_exec_t) - -type vmware_host_pid_t alias vmware_var_run_t; -files_pid_file(vmware_host_pid_t) - -type vmware_host_tmp_t; -files_tmp_file(vmware_host_tmp_t) -ubac_constrained(vmware_host_tmp_t) - -type vmware_log_t; -typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; -typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; -logging_log_file(vmware_log_t) -ubac_constrained(vmware_log_t) - -type vmware_pid_t; -typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t }; -typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t }; -files_pid_file(vmware_pid_t) -ubac_constrained(vmware_pid_t) - -# Systemwide configuration files -type vmware_sys_conf_t; -files_type(vmware_sys_conf_t) - -type vmware_tmp_t; -typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; -typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t }; -files_tmp_file(vmware_tmp_t) -ubac_constrained(vmware_tmp_t) - -type vmware_tmpfs_t; -typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t }; -typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t }; -files_tmpfs_file(vmware_tmpfs_t) -ubac_constrained(vmware_tmpfs_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# VMWare host local policy -# - -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; -dontaudit vmware_host_t self:capability sys_tty_config; -allow vmware_host_t self:process { execstack execmem signal_perms }; -allow vmware_host_t self:fifo_file rw_fifo_file_perms; -allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; -allow vmware_host_t self:rawip_socket create_socket_perms; -allow vmware_host_t self:tcp_socket create_socket_perms; - -can_exec(vmware_host_t, vmware_host_exec_t) - -# cjp: the ro and rw files should be split up -manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) -manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) - -manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) -files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) - -manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) - -manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) -logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) - -kernel_read_kernel_sysctls(vmware_host_t) -kernel_read_system_state(vmware_host_t) -kernel_read_network_state(vmware_host_t) - -corenet_all_recvfrom_unlabeled(vmware_host_t) -corenet_all_recvfrom_netlabel(vmware_host_t) -corenet_tcp_sendrecv_generic_if(vmware_host_t) -corenet_udp_sendrecv_generic_if(vmware_host_t) -corenet_raw_sendrecv_generic_if(vmware_host_t) -corenet_tcp_sendrecv_generic_node(vmware_host_t) -corenet_udp_sendrecv_generic_node(vmware_host_t) -corenet_raw_sendrecv_generic_node(vmware_host_t) -corenet_tcp_sendrecv_all_ports(vmware_host_t) -corenet_udp_sendrecv_all_ports(vmware_host_t) -corenet_raw_bind_generic_node(vmware_host_t) -corenet_tcp_bind_generic_node(vmware_host_t) -corenet_udp_bind_generic_node(vmware_host_t) -corenet_tcp_connect_all_ports(vmware_host_t) -corenet_sendrecv_all_client_packets(vmware_host_t) -corenet_sendrecv_all_server_packets(vmware_host_t) - -corecmd_exec_bin(vmware_host_t) -corecmd_exec_shell(vmware_host_t) - -dev_getattr_all_blk_files(vmware_host_t) -dev_read_sysfs(vmware_host_t) -dev_read_urand(vmware_host_t) -dev_rw_vmware(vmware_host_t) - -domain_use_interactive_fds(vmware_host_t) -domain_dontaudit_read_all_domains_state(vmware_host_t) - -files_list_tmp(vmware_host_t) -files_read_etc_files(vmware_host_t) -files_read_etc_runtime_files(vmware_host_t) -files_read_usr_files(vmware_host_t) - -fs_getattr_all_fs(vmware_host_t) -fs_search_auto_mountpoints(vmware_host_t) - -storage_getattr_fixed_disk_dev(vmware_host_t) - -term_dontaudit_use_console(vmware_host_t) - -init_use_fds(vmware_host_t) -init_use_script_ptys(vmware_host_t) - -libs_exec_ld_so(vmware_host_t) - -logging_send_syslog_msg(vmware_host_t) - -miscfiles_read_localization(vmware_host_t) - -sysnet_dns_name_resolve(vmware_host_t) -sysnet_domtrans_ifconfig(vmware_host_t) - -userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) -userdom_dontaudit_search_user_home_dirs(vmware_host_t) - -netutils_domtrans_ping(vmware_host_t) - -optional_policy(` - hostname_exec(vmware_host_t) -') - -optional_policy(` - modutils_domtrans_insmod(vmware_host_t) -') - -optional_policy(` - samba_read_config(vmware_host_t) -') - -optional_policy(` - seutil_sigchld_newrole(vmware_host_t) -') - -optional_policy(` - shutdown_domtrans(vmware_host_t) -') - -optional_policy(` - udev_read_db(vmware_host_t) -') - -optional_policy(` - xserver_read_tmp_files(vmware_host_t) - xserver_read_xdm_pid(vmware_host_t) -') - -############################## -# -# VMWare guest local policy -# - -allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; -dontaudit vmware_t self:capability sys_tty_config; -allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow vmware_t self:process { execmem execstack }; -allow vmware_t self:fd use; -allow vmware_t self:fifo_file rw_fifo_file_perms; -allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; -allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow vmware_t self:shm create_shm_perms; -allow vmware_t self:sem create_sem_perms; -allow vmware_t self:msgq create_msgq_perms; -allow vmware_t self:msg { send receive }; - -can_exec(vmware_t, vmware_exec_t) - -# User configuration files -allow vmware_t vmware_conf_t:file manage_file_perms; - -# VMWare disks -manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t) -manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t) - -allow vmware_t vmware_tmp_t:file execute; -manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) -files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir }) - -manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) -fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -# Read clobal configuration files -allow vmware_t vmware_sys_conf_t:dir list_dir_perms; -read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) -read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) - -manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) -files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file }) - -kernel_read_system_state(vmware_t) -kernel_read_network_state(vmware_t) -kernel_read_kernel_sysctls(vmware_t) - -# startup scripts -corecmd_exec_bin(vmware_t) -corecmd_exec_shell(vmware_t) - -dev_read_raw_memory(vmware_t) -dev_write_raw_memory(vmware_t) -dev_read_mouse(vmware_t) -dev_write_sound(vmware_t) -dev_read_realtime_clock(vmware_t) -dev_rwx_vmware(vmware_t) -dev_rw_usbfs(vmware_t) -dev_search_sysfs(vmware_t) - -domain_use_interactive_fds(vmware_t) - -files_read_etc_files(vmware_t) -files_read_etc_runtime_files(vmware_t) -files_read_usr_files(vmware_t) -files_list_home(vmware_t) - -fs_getattr_all_fs(vmware_t) -fs_search_auto_mountpoints(vmware_t) - -storage_raw_read_removable_device(vmware_t) -storage_raw_write_removable_device(vmware_t) - -# startup scripts run ldd -libs_exec_ld_so(vmware_t) -# Access X11 config files -libs_read_lib_files(vmware_t) - -miscfiles_read_localization(vmware_t) - -userdom_use_user_terminals(vmware_t) -userdom_list_user_home_dirs(vmware_t) -# cjp: why? -userdom_read_user_home_content_files(vmware_t) - -sysnet_dns_name_resolve(vmware_t) -sysnet_read_config(vmware_t) - -xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t) diff --git a/policy/modules/apps/webalizer.fc b/policy/modules/apps/webalizer.fc deleted file mode 100644 index e4f7d30ee..000000000 --- a/policy/modules/apps/webalizer.fc +++ /dev/null @@ -1,10 +0,0 @@ - -# -# /usr -# -/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) - -# -# /var -# -/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if deleted file mode 100644 index 3c78e7ca3..000000000 --- a/policy/modules/apps/webalizer.if +++ /dev/null @@ -1,45 +0,0 @@ -## Web server log analysis - -######################################## -## -## Execute webalizer in the webalizer domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`webalizer_domtrans',` - gen_require(` - type webalizer_t, webalizer_exec_t; - ') - - domtrans_pattern($1, webalizer_exec_t, webalizer_t) -') - -######################################## -## -## Execute webalizer in the webalizer domain, and -## allow the specified role the webalizer domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`webalizer_run',` - gen_require(` - type webalizer_t; - ') - - webalizer_domtrans($1) - role $2 types webalizer_t; -') diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te deleted file mode 100644 index 75629b610..000000000 --- a/policy/modules/apps/webalizer.te +++ /dev/null @@ -1,109 +0,0 @@ -policy_module(webalizer, 1.11.0) - -######################################## -# -# Declarations -# - -type webalizer_t; -type webalizer_exec_t; -application_domain(webalizer_t, webalizer_exec_t) -role system_r types webalizer_t; - -type webalizer_etc_t; -files_config_file(webalizer_etc_t) - -type webalizer_usage_t; -files_type(webalizer_usage_t) - -type webalizer_tmp_t; -files_tmp_file(webalizer_tmp_t) - -type webalizer_var_lib_t; -files_type(webalizer_var_lib_t) - -type webalizer_write_t; -files_type(webalizer_write_t) - -######################################## -# -# Local policy -# - -allow webalizer_t self:capability dac_override; -allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow webalizer_t self:fd use; -allow webalizer_t self:fifo_file rw_fifo_file_perms; -allow webalizer_t self:sock_file read_sock_file_perms; -allow webalizer_t self:shm create_shm_perms; -allow webalizer_t self:sem create_sem_perms; -allow webalizer_t self:msgq create_msgq_perms; -allow webalizer_t self:msg { send receive }; -allow webalizer_t self:unix_dgram_socket create_socket_perms; -allow webalizer_t self:unix_stream_socket create_stream_socket_perms; -allow webalizer_t self:unix_dgram_socket sendto; -allow webalizer_t self:unix_stream_socket connectto; -allow webalizer_t self:tcp_socket connected_stream_socket_perms; -allow webalizer_t self:udp_socket { connect connected_socket_perms }; -allow webalizer_t self:netlink_route_socket r_netlink_socket_perms; - -allow webalizer_t webalizer_etc_t:file read_file_perms; - -manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) -manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) -files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) - -manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t) -files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) - -kernel_read_kernel_sysctls(webalizer_t) -kernel_read_system_state(webalizer_t) - -corenet_all_recvfrom_unlabeled(webalizer_t) -corenet_all_recvfrom_netlabel(webalizer_t) -corenet_tcp_sendrecv_generic_if(webalizer_t) -corenet_tcp_sendrecv_generic_node(webalizer_t) -corenet_tcp_sendrecv_all_ports(webalizer_t) - -fs_search_auto_mountpoints(webalizer_t) -fs_getattr_xattr_fs(webalizer_t) -fs_rw_anon_inodefs_files(webalizer_t) - -files_read_etc_files(webalizer_t) -files_read_etc_runtime_files(webalizer_t) - -logging_list_logs(webalizer_t) -logging_send_syslog_msg(webalizer_t) - -miscfiles_read_localization(webalizer_t) -miscfiles_read_public_files(webalizer_t) - -sysnet_dns_name_resolve(webalizer_t) -sysnet_read_config(webalizer_t) - -userdom_use_user_terminals(webalizer_t) -userdom_use_unpriv_users_fds(webalizer_t) -userdom_dontaudit_search_user_home_content(webalizer_t) - -apache_read_log(webalizer_t) -apache_manage_sys_content(webalizer_t) - -optional_policy(` - cron_system_entry(webalizer_t, webalizer_exec_t) -') - -optional_policy(` - ftp_read_log(webalizer_t) -') - -optional_policy(` - nis_use_ypbind(webalizer_t) -') - -optional_policy(` - nscd_socket_use(webalizer_t) -') - -optional_policy(` - squid_read_log(webalizer_t) -') diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc deleted file mode 100644 index 9d24449fb..000000000 --- a/policy/modules/apps/wine.fc +++ /dev/null @@ -1,21 +0,0 @@ -HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if deleted file mode 100644 index f9a73d040..000000000 --- a/policy/modules/apps/wine.if +++ /dev/null @@ -1,178 +0,0 @@ -## Wine Is Not an Emulator. Run Windows programs in Linux. - -####################################### -## -## The per role template for the wine module. -## -## -##

-## This template creates a derived domains which are used -## for wine applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## -# -template(`wine_role',` - gen_require(` - type wine_exec_t; - ') - - role $1 types wine_t; - - domain_auto_trans($2, wine_exec_t, wine_t) - allow wine_t $2:fd use; - allow wine_t $2:process { sigchld signull }; - allow wine_t $2:unix_stream_socket connectto; - - # Allow the user domain to signal/ps. - ps_process_pattern($2, wine_t) - allow $2 wine_t:process signal_perms; - - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm { unix_read unix_write }; - allow $2 wine_t:unix_stream_socket connectto; - - # X access, Home files - manage_dirs_pattern($2, wine_home_t, wine_home_t) - manage_files_pattern($2, wine_home_t, wine_home_t) - manage_lnk_files_pattern($2, wine_home_t, wine_home_t) - relabel_dirs_pattern($2, wine_home_t, wine_home_t) - relabel_files_pattern($2, wine_home_t, wine_home_t) - relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) -') - -####################################### -## -## The role template for the wine module. -## -## -##

-## This template creates a derived domains which are used -## for wine applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`wine_role_template',` - gen_require(` - type wine_exec_t; - ') - - type $1_wine_t; - domain_type($1_wine_t) - domain_entry_file($1_wine_t, wine_exec_t) - ubac_constrained($1_wine_t) - role $2 types $1_wine_t; - - allow $1_wine_t self:process { execmem execstack }; - allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; - domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $1_t) - - userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) - - domain_mmap_low($1_wine_t) - - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - optional_policy(` - xserver_role($1_r, $1_wine_t) - ') -') - -######################################## -## -## Execute the wine program in the wine domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wine_domtrans',` - gen_require(` - type wine_t, wine_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wine_exec_t, wine_t) -') - -######################################## -## -## Execute wine in the wine domain, and -## allow the specified role the wine domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`wine_run',` - gen_require(` - type wine_t; - ') - - wine_domtrans($1) - role $2 types wine_t; -') - -######################################## -## -## Read and write wine Shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# -interface(`wine_rw_shm',` - gen_require(` - type wine_t; - ') - - allow $1 wine_t:shm rw_shm_perms; -') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te deleted file mode 100644 index 4a539d992..000000000 --- a/policy/modules/apps/wine.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(wine, 1.9.0) - -######################################## -# -# Declarations -# - -## -##

-## Ignore wine mmap_zero errors. -##

-## -gen_tunable(wine_mmap_zero_ignore, false) - -type wine_t; -type wine_exec_t; -application_domain(wine_t, wine_exec_t) -ubac_constrained(wine_t) -role system_r types wine_t; - -type wine_tmp_t; -files_tmp_file(wine_tmp_t) -ubac_constrained(wine_tmp_t) - -######################################## -# -# Local policy -# - -allow wine_t self:process { execstack execmem execheap }; -allow wine_t self:fifo_file manage_fifo_file_perms; - -can_exec(wine_t, wine_exec_t) - -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) - -domain_mmap_low(wine_t) - -files_execmod_all_files(wine_t) - -userdom_use_user_terminals(wine_t) - -tunable_policy(`wine_mmap_zero_ignore',` - dontaudit wine_t self:memprotect mmap_zero; -') - -optional_policy(` - hal_dbus_chat(wine_t) -') - -optional_policy(` - policykit_dbus_chat(wine_t) -') - -optional_policy(` - unconfined_domain(wine_t) -') - -optional_policy(` - xserver_read_xdm_pid(wine_t) - xserver_rw_shm(wine_t) -') diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc deleted file mode 100644 index 96844ae79..000000000 --- a/policy/modules/apps/wireshark.fc +++ /dev/null @@ -1,3 +0,0 @@ -HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0) - -/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0) diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if deleted file mode 100644 index ea6ffe657..000000000 --- a/policy/modules/apps/wireshark.if +++ /dev/null @@ -1,55 +0,0 @@ -## Wireshark packet capture tool. - -############################################################ -## -## Role access for wireshark -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`wireshark_role',` - gen_require(` - type wireshark_t, wireshark_exec_t; - type wireshark_home_t, wireshark_tmp_t; - type wireshark_tmpfs_t; - ') - - role $1 types wireshark_t; - - domain_auto_trans($2, wireshark_exec_t, wireshark_t) - allow wireshark_t $2:fd use; - allow wireshark_t $2:process sigchld; - - manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t) - manage_files_pattern($2, wireshark_home_t, wireshark_home_t) - manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_files_pattern($2, wireshark_home_t, wireshark_home_t) - relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) -') - -######################################## -## -## Run wireshark in wireshark domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wireshark_domtrans',` - gen_require(` - type wireshark_t, wireshark_exec_t; - ') - - domtrans_pattern($1, wireshark_exec_t, wireshark_t) -') diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te deleted file mode 100644 index 8bfe97d3f..000000000 --- a/policy/modules/apps/wireshark.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(wireshark, 2.2.0) - -######################################## -# -# Declarations -# - -type wireshark_t; -type wireshark_exec_t; -typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; -typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; -application_domain(wireshark_t, wireshark_exec_t) -ubac_constrained(wireshark_t) - -type wireshark_home_t; -typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; -typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; -userdom_user_home_content(wireshark_home_t) - -type wireshark_tmp_t; -typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t }; -typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t }; -files_tmp_file(wireshark_tmp_t) -ubac_constrained(wireshark_tmp_t) - -type wireshark_tmpfs_t; -typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t }; -typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t }; -files_tmpfs_file(wireshark_tmpfs_t) -ubac_constrained(wireshark_tmpfs_t) - -############################## -# -# Local Policy -# - -allow wireshark_t self:capability { net_admin net_raw setgid }; -allow wireshark_t self:process { signal getsched }; -allow wireshark_t self:fifo_file { getattr read write }; -allow wireshark_t self:shm destroy; -allow wireshark_t self:shm create_shm_perms; -allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; -allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read }; -allow wireshark_t self:tcp_socket create_socket_perms; -allow wireshark_t self:udp_socket create_socket_perms; - -# Re-execute itself (why?) -can_exec(wireshark_t, wireshark_exec_t) -corecmd_search_bin(wireshark_t) - -# /home/.wireshark -manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir) - -# Store temporary files -manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) -manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) -files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file }) - -manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) -fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(wireshark_t) -kernel_read_system_state(wireshark_t) -kernel_read_sysctl(wireshark_t) - -corecmd_search_bin(wireshark_t) - -corenet_tcp_connect_generic_port(wireshark_t) -corenet_tcp_sendrecv_generic_if(wireshark_t) - -dev_read_urand(wireshark_t) - -files_read_etc_files(wireshark_t) -files_read_usr_files(wireshark_t) - -fs_list_inotifyfs(wireshark_t) -fs_search_auto_mountpoints(wireshark_t) - -libs_read_lib_files(wireshark_t) - -miscfiles_read_fonts(wireshark_t) -miscfiles_read_localization(wireshark_t) - -seutil_use_newrole_fds(wireshark_t) - -sysnet_read_config(wireshark_t) - -userdom_manage_user_home_content_files(wireshark_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(wireshark_t) - fs_manage_nfs_files(wireshark_t) - fs_manage_nfs_symlinks(wireshark_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(wireshark_t) - fs_manage_cifs_files(wireshark_t) - fs_manage_cifs_symlinks(wireshark_t) -') - -optional_policy(` - nscd_socket_use(wireshark_t) -') - -# Manual transition from userhelper -optional_policy(` - userhelper_use_fd(wireshark_t) - userhelper_sigchld(wireshark_t) -') - -optional_policy(` - xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t) - xserver_create_xdm_tmp_sockets(wireshark_t) -') diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc deleted file mode 100644 index c1d10a11b..000000000 --- a/policy/modules/apps/wm.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if deleted file mode 100644 index b3efef7b5..000000000 --- a/policy/modules/apps/wm.if +++ /dev/null @@ -1,111 +0,0 @@ -## X Window Managers - -####################################### -## -## The role template for the wm module. -## -## -##

-## This template creates a derived domains which are used -## for window manager applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# -template(`wm_role_template',` - gen_require(` - type wm_exec_t; - class dbus send_msg; - ') - - type $1_wm_t; - domain_type($1_wm_t) - domain_entry_file($1_wm_t, wm_exec_t) - role $2 types $1_wm_t; - - allow $1_wm_t self:fifo_file rw_fifo_file_perms; - allow $1_wm_t self:process getsched; - allow $1_wm_t self:shm create_shm_perms; - - allow $1_wm_t $3:unix_stream_socket connectto; - allow $3 $1_wm_t:unix_stream_socket connectto; - allow $3 $1_wm_t:process { signal sigchld signull }; - allow $1_wm_t $3:process { signull sigkill }; - - allow $1_wm_t $3:dbus send_msg; - allow $3 $1_wm_t:dbus send_msg; - - domtrans_pattern($3, wm_exec_t, $1_wm_t) - - kernel_read_system_state($1_wm_t) - - corecmd_bin_domtrans($1_wm_t, $3) - corecmd_shell_domtrans($1_wm_t, $3) - - dev_read_urand($1_wm_t) - - files_read_etc_files($1_wm_t) - files_read_usr_files($1_wm_t) - - fs_getattr_tmpfs($1_wm_t) - - mls_file_read_all_levels($1_wm_t) - mls_file_write_all_levels($1_wm_t) - mls_xwin_read_all_levels($1_wm_t) - mls_xwin_write_all_levels($1_wm_t) - mls_fd_use_all_levels($1_wm_t) - - auth_use_nsswitch($1_wm_t) - - application_signull($1_wm_t) - - miscfiles_read_fonts($1_wm_t) - miscfiles_read_localization($1_wm_t) - - optional_policy(` - dbus_system_bus_client($1_wm_t) - dbus_session_bus_client($1_wm_t) - ') - - optional_policy(` - pulseaudio_stream_connect($1_wm_t) - ') - - optional_policy(` - xserver_role($2, $1_wm_t) - xserver_manage_core_devices($1_wm_t) - ') -') - -######################################## -## -## Execute the wm program in the wm domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`wm_exec',` - gen_require(` - type wm_exec_t; - ') - - can_exec($1, wm_exec_t) -') diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te deleted file mode 100644 index 19d447ed9..000000000 --- a/policy/modules/apps/wm.te +++ /dev/null @@ -1,9 +0,0 @@ -policy_module(wm, 1.2.0) - -######################################## -# -# Declarations -# - -type wm_exec_t; -corecmd_executable_file(wm_exec_t) diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc deleted file mode 100644 index 29396daa3..000000000 --- a/policy/modules/apps/xscreensaver.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0) diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if deleted file mode 100644 index 1067bd1f5..000000000 --- a/policy/modules/apps/xscreensaver.if +++ /dev/null @@ -1,30 +0,0 @@ -## X Screensaver - -######################################## -## -## Role access for xscreensaver -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`xscreensaver_role',` - gen_require(` - type xscreensaver_t, xscreensaver_exec_t; - ') - - role $1 types xscreensaver_t; - - domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2, xscreensaver_t) - allow $2 xscreensaver_t:process signal_perms; -') diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te deleted file mode 100644 index 1bdeb163d..000000000 --- a/policy/modules/apps/xscreensaver.te +++ /dev/null @@ -1,44 +0,0 @@ -policy_module(xscreensaver, 1.0.0) - -######################################## -# -# Declarations -# - -type xscreensaver_t; -type xscreensaver_exec_t; -application_domain(xscreensaver_t, xscreensaver_exec_t) -ubac_constrained(xscreensaver_t) - -type xscreensaver_tmpfs_t; -files_tmpfs_file(xscreensaver_tmpfs_t) -ubac_constrained(xscreensaver_tmpfs_t) - -######################################## -# -# Local policy -# - -allow xscreensaver_t self:fifo_file rw_fifo_file_perms; -allow xscreensaver_t self:process signal; - -kernel_read_system_state(xscreensaver_t) - -files_read_usr_files(xscreensaver_t) - -auth_use_nsswitch(xscreensaver_t) -auth_domtrans_chk_passwd(xscreensaver_t) - -#/var/run/utmp -init_read_utmp(xscreensaver_t) - -logging_send_audit_msgs(xscreensaver_t) -logging_send_syslog_msg(xscreensaver_t) - -miscfiles_read_localization(xscreensaver_t) - -userdom_use_user_ptys(xscreensaver_t) -#access to .icons and ~/.xscreensaver -userdom_read_user_home_content_files(xscreensaver_t) - -xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/policy/modules/apps/yam.fc b/policy/modules/apps/yam.fc deleted file mode 100644 index 4ec6edeb7..000000000 --- a/policy/modules/apps/yam.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0) - -/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0) - -/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) -/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0) diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if deleted file mode 100644 index 07015a25d..000000000 --- a/policy/modules/apps/yam.if +++ /dev/null @@ -1,66 +0,0 @@ -## Yum/Apt Mirroring - -######################################## -## -## Execute yam in the yam domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`yam_domtrans',` - gen_require(` - type yam_t, yam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, yam_exec_t, yam_t) -') - -######################################## -## -## Execute yam in the yam domain, and -## allow the specified role the yam domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`yam_run',` - gen_require(` - type yam_t; - ') - - yam_domtrans($1) - role $2 types yam_t; -') - -######################################## -## -## Read yam content. -## -## -## -## Domain allowed access. -## -## -# -interface(`yam_read_content',` - gen_require(` - type yam_content_t; - ') - - allow $1 yam_content_t:dir list_dir_perms; - read_files_pattern($1, yam_content_t, yam_content_t) - read_lnk_files_pattern($1, yam_content_t, yam_content_t) -') diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te deleted file mode 100644 index 223ad437d..000000000 --- a/policy/modules/apps/yam.te +++ /dev/null @@ -1,124 +0,0 @@ -policy_module(yam, 1.4.0) - -######################################## -# -# Declarations -# - -type yam_t alias yam_crond_t; -type yam_exec_t; -application_domain(yam_t, yam_exec_t) - -type yam_content_t; -files_mountpoint(yam_content_t) - -type yam_etc_t; -files_config_file(yam_etc_t) - -type yam_tmp_t; -files_tmp_file(yam_tmp_t) - -######################################## -# -# Local policy -# - -allow yam_t self:capability { chown fowner fsetid dac_override }; -allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow yam_t self:process execmem; -allow yam_t self:fd use; -allow yam_t self:fifo_file rw_fifo_file_perms; -allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow yam_t self:unix_dgram_socket { create_socket_perms sendto }; -allow yam_t self:shm create_shm_perms; -allow yam_t self:sem create_sem_perms; -allow yam_t self:msgq create_msgq_perms; -allow yam_t self:msg { send receive }; -allow yam_t self:tcp_socket create_socket_perms; - -# Update the content being managed by yam. -manage_dirs_pattern(yam_t, yam_content_t, yam_content_t) -manage_files_pattern(yam_t, yam_content_t, yam_content_t) -manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t) - -allow yam_t yam_etc_t:file read_file_perms; -files_search_etc(yam_t) - -manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t) -manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t) -files_tmp_filetrans(yam_t, yam_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(yam_t) -kernel_read_proc_symlinks(yam_t) -# Python works fine without reading /proc/meminfo -kernel_dontaudit_read_system_state(yam_t) - -corecmd_exec_shell(yam_t) -corecmd_exec_bin(yam_t) - -# Rsync and lftp need to network. They also set files attributes to -# match whats on the remote server. -corenet_all_recvfrom_unlabeled(yam_t) -corenet_all_recvfrom_netlabel(yam_t) -corenet_tcp_sendrecv_generic_if(yam_t) -corenet_tcp_sendrecv_generic_node(yam_t) -corenet_tcp_sendrecv_all_ports(yam_t) -corenet_tcp_connect_http_port(yam_t) -corenet_tcp_connect_rsync_port(yam_t) -corenet_sendrecv_http_client_packets(yam_t) -corenet_sendrecv_rsync_client_packets(yam_t) - -# mktemp -dev_read_urand(yam_t) - -files_read_etc_files(yam_t) -files_read_etc_runtime_files(yam_t) -# /usr/share/createrepo/genpkgmetadata.py: -files_exec_usr_files(yam_t) -# Programs invoked to build package lists need various permissions. -# genpkglist creates tmp files in /var/cache/apt/genpkglist -files_rw_var_files(yam_t) - -fs_search_auto_mountpoints(yam_t) -# Content can also be on ISO image files. -fs_read_iso9660_files(yam_t) - -logging_send_syslog_msg(yam_t) - -miscfiles_read_localization(yam_t) - -seutil_read_config(yam_t) - -sysnet_dns_name_resolve(yam_t) -sysnet_read_config(yam_t) - -userdom_use_user_terminals(yam_t) -userdom_use_unpriv_users_fds(yam_t) -# Reading dotfiles... -# cjp: ? -userdom_search_user_home_dirs(yam_t) - -# The whole point of this program is to make updates available on a -# local web server. Need to go through /var to get to /var/yam -# Go through /var/www to get to /var/www/yam -apache_search_sys_content(yam_t) - -optional_policy(` - cron_system_entry(yam_t, yam_exec_t) -') - -optional_policy(` - mount_domtrans(yam_t) -') - -optional_policy(` - nis_use_ypbind(yam_t) -') - -optional_policy(` - nscd_socket_use(yam_t) -') - -optional_policy(` - rsync_exec(yam_t) -') diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index 0faef6867..834a065de 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -6,7 +6,7 @@ policy_module(auditadm, 2.2.0) # role auditadm_r; - +role system_r; userdom_unpriv_user_template(auditadm) ######################################## diff --git a/policy/modules/roles/dbadm.fc b/policy/modules/roles/dbadm.fc deleted file mode 100644 index e6aa2fba6..000000000 --- a/policy/modules/roles/dbadm.fc +++ /dev/null @@ -1 +0,0 @@ -# No dbadm file contexts diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if deleted file mode 100644 index 56f2af746..000000000 --- a/policy/modules/roles/dbadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## Database administrator role - -######################################## -## -## Change to the database administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`dbadm_role_change',` - gen_require(` - role dbadm_r; - ') - - allow $1 dbadm_r; -') - -######################################## -## -## Change from the database administrator role. -## -## -##

-## Change from the database administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# -interface(`dbadm_role_change_to',` - gen_require(` - role dbadm_r; - ') - - allow dbadm_r $1; -') diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te deleted file mode 100644 index 1875064e6..000000000 --- a/policy/modules/roles/dbadm.te +++ /dev/null @@ -1,60 +0,0 @@ -policy_module(dbadm, 1.0.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow dbadm to manage files in users home directories -##

-## -gen_tunable(dbadm_manage_user_files, false) - -## -##

-## Allow dbadm to read files in users home directories -##

-## -gen_tunable(dbadm_read_user_files, false) - -role dbadm_r; - -userdom_base_user_template(dbadm) - -######################################## -# -# database admin local policy -# - -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; - -files_dontaudit_search_all_dirs(dbadm_t) -files_delete_generic_locks(dbadm_t) -files_list_var(dbadm_t) - -selinux_get_enforce_mode(dbadm_t) - -logging_send_syslog_msg(dbadm_t) - -userdom_dontaudit_search_user_home_dirs(dbadm_t) - -tunable_policy(`dbadm_manage_user_files',` - userdom_manage_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) - userdom_write_user_tmp_files(dbadm_t) -') - -tunable_policy(`dbadm_read_user_files',` - userdom_read_user_home_content_files(dbadm_t) - userdom_read_user_tmp_files(dbadm_t) -') - -optional_policy(` - mysql_admin(dbadm_t, dbadm_r) -') - -optional_policy(` - postgresql_admin(dbadm_t, dbadm_r) -') diff --git a/policy/modules/roles/guest.fc b/policy/modules/roles/guest.fc deleted file mode 100644 index 601a7b02f..000000000 --- a/policy/modules/roles/guest.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/guest.if b/policy/modules/roles/guest.if deleted file mode 100644 index 8906a3297..000000000 --- a/policy/modules/roles/guest.if +++ /dev/null @@ -1,50 +0,0 @@ -## Least privledge terminal user role - -######################################## -## -## Change to the guest role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`guest_role_change',` - gen_require(` - role guest_r; - ') - - allow $1 guest_r; -') - -######################################## -## -## Change from the guest role. -## -## -##

-## Change from the guest role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# -interface(`guest_role_change_to',` - gen_require(` - role guest_r; - ') - - allow guest_r $1; -') diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te deleted file mode 100644 index 1cb731181..000000000 --- a/policy/modules/roles/guest.te +++ /dev/null @@ -1,17 +0,0 @@ -policy_module(guest, 1.2.0) - -######################################## -# -# Declarations -# - -role guest_r; - -userdom_restricted_user_template(guest) - -######################################## -# -# Local policy -# - -#gen_user(guest_u,, guest_r, s0, s0) diff --git a/policy/modules/roles/webadm.fc b/policy/modules/roles/webadm.fc deleted file mode 100644 index d46378a0c..000000000 --- a/policy/modules/roles/webadm.fc +++ /dev/null @@ -1 +0,0 @@ -# No webadm file contexts. diff --git a/policy/modules/roles/webadm.if b/policy/modules/roles/webadm.if deleted file mode 100644 index cc34f8b41..000000000 --- a/policy/modules/roles/webadm.if +++ /dev/null @@ -1,50 +0,0 @@ -## Web administrator role - -######################################## -## -## Change to the web administrator role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`webadm_role_change',` - gen_require(` - role webadm_r; - ') - - allow $1 webadm_r; -') - -######################################## -## -## Change from the web administrator role. -## -## -##

-## Change from the web administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# -interface(`webadm_role_change_to',` - gen_require(` - role webadm_r; - ') - - allow webadm_r $1; -') diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te deleted file mode 100644 index 0ecc7862a..000000000 --- a/policy/modules/roles/webadm.te +++ /dev/null @@ -1,55 +0,0 @@ -policy_module(webadm, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow webadm to manage files in users home directories -##

-## -gen_tunable(webadm_manage_user_files, false) - -## -##

-## Allow webadm to read files in users home directories -##

-## -gen_tunable(webadm_read_user_files, false) - -role webadm_r; - -userdom_base_user_template(webadm) - -######################################## -# -# webadmin local policy -# - -allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; - -files_dontaudit_search_all_dirs(webadm_t) -files_manage_generic_locks(webadm_t) -files_list_var(webadm_t) - -selinux_get_enforce_mode(webadm_t) -seutil_domtrans_setfiles(webadm_t) - -logging_send_syslog_msg(webadm_t) - -userdom_dontaudit_search_user_home_dirs(webadm_t) - -apache_admin(webadm_t, webadm_r) - -tunable_policy(`webadm_manage_user_files',` - userdom_manage_user_home_content_files(webadm_t) - userdom_read_user_tmp_files(webadm_t) - userdom_write_user_tmp_files(webadm_t) -') - -tunable_policy(`webadm_read_user_files',` - userdom_read_user_home_content_files(webadm_t) - userdom_read_user_tmp_files(webadm_t) -') diff --git a/policy/modules/roles/xguest.fc b/policy/modules/roles/xguest.fc deleted file mode 100644 index 601a7b02f..000000000 --- a/policy/modules/roles/xguest.fc +++ /dev/null @@ -1 +0,0 @@ -# file contexts handled by userdomain and genhomedircon diff --git a/policy/modules/roles/xguest.if b/policy/modules/roles/xguest.if deleted file mode 100644 index d2234e325..000000000 --- a/policy/modules/roles/xguest.if +++ /dev/null @@ -1,50 +0,0 @@ -## Least privledge xwindows user role - -######################################## -## -## Change to the xguest role. -## -## -## -## Role allowed access. -## -## -## -# -interface(`xguest_role_change',` - gen_require(` - role xguest_r; - ') - - allow $1 xguest_r; -') - -######################################## -## -## Change from the xguest role. -## -## -##

-## Change from the xguest role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# -interface(`xguest_role_change_to',` - gen_require(` - role xguest_r; - ') - - allow xguest_r $1; -') diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te deleted file mode 100644 index e88b95f10..000000000 --- a/policy/modules/roles/xguest.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(xguest, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow xguest users to mount removable media -##

-## -gen_tunable(xguest_mount_media, true) - -## -##

-## Allow xguest to configure Network Manager -##

-## -gen_tunable(xguest_connect_network, true) - -## -##

-## Allow xguest to use blue tooth devices -##

-## -gen_tunable(xguest_use_bluetooth, true) - -role xguest_r; - -userdom_restricted_xwindows_user_template(xguest) - -######################################## -# -# Local policy -# - -ifndef(`enable_mls',` - fs_exec_noxattr(xguest_t) - - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - # Write floppies - storage_raw_read_removable_device(xguest_t) - storage_raw_write_removable_device(xguest_t) - ',` - storage_raw_read_removable_device(xguest_t) - ') -') - -# Allow mounting of file systems -optional_policy(` - tunable_policy(`xguest_mount_media',` - kernel_read_fs_sysctls(xguest_t) - - files_dontaudit_getattr_boot_dirs(xguest_t) - files_search_mnt(xguest_t) - - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) - fs_getattr_noxattr_fs(xguest_t) - fs_read_noxattr_fs_symlinks(xguest_t) - - auth_list_pam_console_data(xguest_t) - - init_read_utmp(xguest_t) - ') -') - -optional_policy(` - tunable_policy(`xguest_use_bluetooth',` - bluetooth_dbus_chat(xguest_t) - ') -') - -optional_policy(` - hal_dbus_chat(xguest_t) -') - -optional_policy(` - java_role(xguest_r, xguest_t) -') - -optional_policy(` - mozilla_role(xguest_r, xguest_t) -') - -optional_policy(` - tunable_policy(`xguest_connect_network',` - networkmanager_dbus_chat(xguest_t) - corenet_tcp_connect_pulseaudio_port(xguest_t) - corenet_tcp_connect_ipp_port(xguest_t) - ') -') - -#gen_user(xguest_u,, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc deleted file mode 100644 index 1bd5812e3..000000000 --- a/policy/modules/services/abrt.fc +++ /dev/null @@ -1,20 +0,0 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) - -/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - -/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) - -/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) - -/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) - -/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) - -/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if deleted file mode 100644 index 0b827c527..000000000 --- a/policy/modules/services/abrt.if +++ /dev/null @@ -1,303 +0,0 @@ -## ABRT - automated bug-reporting tool - -###################################### -## -## Execute abrt in the abrt domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`abrt_domtrans',` - gen_require(` - type abrt_t, abrt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, abrt_exec_t, abrt_t) -') - -###################################### -## -## Execute abrt in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_exec',` - gen_require(` - type abrt_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, abrt_exec_t) -') - -######################################## -## -## Send a null signal to abrt. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_signull',` - gen_require(` - type abrt_t; - ') - - allow $1 abrt_t:process signull; -') - -######################################## -## -## Allow the domain to read abrt state files in /proc. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_state',` - gen_require(` - type abrt_t; - ') - - ps_process_pattern($1, abrt_t) -') - -######################################## -## -## Connect to abrt over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_stream_connect',` - gen_require(` - type abrt_t, abrt_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) -') - -######################################## -## -## Send and receive messages from -## abrt over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_dbus_chat',` - gen_require(` - type abrt_t; - class dbus send_msg; - ') - - allow $1 abrt_t:dbus send_msg; - allow abrt_t $1:dbus send_msg; -') - -##################################### -## -## Execute abrt-helper in the abrt-helper domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`abrt_domtrans_helper',` - gen_require(` - type abrt_helper_t, abrt_helper_exec_t; - ') - - domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) -') - -######################################## -## -## Execute abrt helper in the abrt_helper domain, and -## allow the specified role the abrt_helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`abrt_run_helper',` - gen_require(` - type abrt_helper_t; - ') - - abrt_domtrans_helper($1) - role $2 types abrt_helper_t; -') - -######################################## -## -## Send and receive messages from -## abrt over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_cache_manage',` - gen_require(` - type abrt_var_cache_t; - ') - - manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -') - -#################################### -## -## Read abrt configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_config',` - gen_require(` - type abrt_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, abrt_etc_t, abrt_etc_t) -') - -###################################### -## -## Read abrt logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_log',` - gen_require(` - type abrt_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) -') - -###################################### -## -## Read abrt PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_read_pid_files',` - gen_require(` - type abrt_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) -') - -###################################### -## -## Create, read, write, and delete abrt PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`abrt_manage_pid_files',` - gen_require(` - type abrt_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) -') - -##################################### -## -## All of the rules required to administrate -## an abrt environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the abrt domain. -## -## -## -# -interface(`abrt_admin',` - gen_require(` - type abrt_t, abrt_etc_t; - type abrt_var_cache_t, abrt_var_log_t; - type abrt_var_run_t, abrt_tmp_t; - type abrt_initrc_exec_t; - ') - - allow $1 abrt_t:process { ptrace signal_perms }; - ps_process_pattern($1, abrt_t) - - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, abrt_etc_t) - - logging_search_logs($1) - admin_pattern($1, abrt_var_log_t) - - files_search_var($1) - admin_pattern($1, abrt_var_cache_t) - - files_search_pids($1) - admin_pattern($1, abrt_var_run_t) - - files_search_tmp($1) - admin_pattern($1, abrt_tmp_t) -') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te deleted file mode 100644 index 30861ec43..000000000 --- a/policy/modules/services/abrt.te +++ /dev/null @@ -1,227 +0,0 @@ -policy_module(abrt, 1.2.0) - -######################################## -# -# Declarations -# - -type abrt_t; -type abrt_exec_t; -init_daemon_domain(abrt_t, abrt_exec_t) - -type abrt_initrc_exec_t; -init_script_file(abrt_initrc_exec_t) - -# etc files -type abrt_etc_t; -files_config_file(abrt_etc_t) - -# log files -type abrt_var_log_t; -logging_log_file(abrt_var_log_t) - -# tmp files -type abrt_tmp_t; -files_tmp_file(abrt_tmp_t) - -# var/cache files -type abrt_var_cache_t; -files_type(abrt_var_cache_t) - -# pid files -type abrt_var_run_t; -files_pid_file(abrt_var_run_t) - -# type needed to allow all domains -# to handle /var/cache/abrt -type abrt_helper_t; -type abrt_helper_exec_t; -application_domain(abrt_helper_t, abrt_helper_exec_t) -role system_r types abrt_helper_t; - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# abrt local policy -# - -allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; -dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { signal signull setsched getsched }; - -allow abrt_t self:fifo_file rw_fifo_file_perms; -allow abrt_t self:tcp_socket create_stream_socket_perms; -allow abrt_t self:udp_socket create_socket_perms; -allow abrt_t self:unix_dgram_socket create_socket_perms; -allow abrt_t self:netlink_route_socket r_netlink_socket_perms; - -# abrt etc files -rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) - -# log file -manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) -logging_log_filetrans(abrt_t, abrt_var_log_t, file) - -# abrt tmp files -manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) - -# abrt var/cache files -manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) -files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) - -# abrt pid files -manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) - -kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) -kernel_rw_kernel_sysctl(abrt_t) - -corecmd_exec_bin(abrt_t) -corecmd_exec_shell(abrt_t) -corecmd_read_all_executables(abrt_t) - -corenet_all_recvfrom_netlabel(abrt_t) -corenet_all_recvfrom_unlabeled(abrt_t) -corenet_tcp_sendrecv_generic_if(abrt_t) -corenet_tcp_sendrecv_generic_node(abrt_t) -corenet_tcp_sendrecv_generic_port(abrt_t) -corenet_tcp_bind_generic_node(abrt_t) -corenet_tcp_connect_http_port(abrt_t) -corenet_tcp_connect_ftp_port(abrt_t) -corenet_tcp_connect_all_ports(abrt_t) -corenet_sendrecv_http_client_packets(abrt_t) - -dev_getattr_all_chr_files(abrt_t) -dev_read_urand(abrt_t) -dev_rw_sysfs(abrt_t) -dev_dontaudit_read_raw_memory(abrt_t) - -domain_getattr_all_domains(abrt_t) -domain_read_all_domains_state(abrt_t) -domain_signull_all_domains(abrt_t) - -files_getattr_all_files(abrt_t) -files_read_etc_files(abrt_t) -files_read_var_symlinks(abrt_t) -files_read_var_lib_files(abrt_t) -files_read_usr_files(abrt_t) -files_read_generic_tmp_files(abrt_t) -files_read_kernel_modules(abrt_t) -files_dontaudit_list_default(abrt_t) -files_dontaudit_read_default_files(abrt_t) - -fs_list_inotifyfs(abrt_t) -fs_getattr_all_fs(abrt_t) -fs_getattr_all_dirs(abrt_t) -fs_read_fusefs_files(abrt_t) -fs_read_noxattr_fs_files(abrt_t) -fs_read_nfs_files(abrt_t) -fs_read_nfs_symlinks(abrt_t) -fs_search_all(abrt_t) - -sysnet_read_config(abrt_t) - -logging_read_generic_logs(abrt_t) -logging_send_syslog_msg(abrt_t) - -miscfiles_read_generic_certs(abrt_t) -miscfiles_read_localization(abrt_t) - -userdom_dontaudit_read_user_home_content_files(abrt_t) - -optional_policy(` - dbus_system_domain(abrt_t, abrt_exec_t) -') - -optional_policy(` - nis_use_ypbind(abrt_t) -') - -optional_policy(` - policykit_dbus_chat(abrt_t) - policykit_domtrans_auth(abrt_t) - policykit_read_lib(abrt_t) - policykit_read_reload(abrt_t) -') - -optional_policy(` - prelink_exec(abrt_t) - libs_exec_ld_so(abrt_t) - corecmd_exec_all_executables(abrt_t) -') - -# to install debuginfo packages -optional_policy(` - rpm_exec(abrt_t) - rpm_dontaudit_manage_db(abrt_t) - rpm_manage_cache(abrt_t) - rpm_manage_pid_files(abrt_t) - rpm_read_db(abrt_t) - rpm_signull(abrt_t) -') - -# to run mailx plugin -optional_policy(` - sendmail_domtrans(abrt_t) -') - -optional_policy(` - sssd_stream_connect(abrt_t) -') - -######################################## -# -# abrt--helper local policy -# - -allow abrt_helper_t self:capability { chown setgid sys_nice }; -allow abrt_helper_t self:process signal; - -read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) - -files_search_spool(abrt_helper_t) -manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) - -read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) - -domain_read_all_domains_state(abrt_helper_t) - -files_read_etc_files(abrt_helper_t) - -fs_list_inotifyfs(abrt_helper_t) -fs_getattr_all_fs(abrt_helper_t) - -auth_use_nsswitch(abrt_helper_t) - -logging_send_syslog_msg(abrt_helper_t) - -miscfiles_read_localization(abrt_helper_t) - -term_dontaudit_use_all_ttys(abrt_helper_t) -term_dontaudit_use_all_ptys(abrt_helper_t) - -ifdef(`hide_broken_symptoms', ` - userdom_dontaudit_read_user_home_content_files(abrt_helper_t) - userdom_dontaudit_read_user_tmp_files(abrt_helper_t) - dev_dontaudit_read_all_blk_files(abrt_helper_t) - dev_dontaudit_read_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_blk_files(abrt_helper_t) - fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) -') diff --git a/policy/modules/services/accountsd.fc b/policy/modules/services/accountsd.fc deleted file mode 100644 index 1adca53f4..000000000 --- a/policy/modules/services/accountsd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - -/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if deleted file mode 100644 index c0f858de6..000000000 --- a/policy/modules/services/accountsd.if +++ /dev/null @@ -1,145 +0,0 @@ -## AccountsService and daemon for manipulating user account information via D-Bus - -######################################## -## -## Execute a domain transition to run accountsd. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_domtrans',` - gen_require(` - type accountsd_t, accountsd_exec_t; - ') - - domtrans_pattern($1, accountsd_exec_t, accountsd_t) -') - -######################################## -## -## Do not audit attempts to read and write Accounts Daemon -## fifo file. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_dontaudit_rw_fifo_file',` - gen_require(` - type accountsd_t; - ') - - dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Send and receive messages from -## accountsd over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_dbus_chat',` - gen_require(` - type accountsd_t; - class dbus send_msg; - ') - - allow $1 accountsd_t:dbus send_msg; - allow accountsd_t $1:dbus send_msg; -') - -######################################## -## -## Search accountsd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_search_lib',` - gen_require(` - type accountsd_var_lib_t; - ') - - allow $1 accountsd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read accountsd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_read_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## accountsd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`accountsd_manage_lib_files',` - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an accountsd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`accountsd_admin',` - gen_require(` - type accountsd_t; - ') - - allow $1 accountsd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, accountsd_t) - - accountsd_manage_lib_files($1) -') diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te deleted file mode 100644 index 1632f105a..000000000 --- a/policy/modules/services/accountsd.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(accountsd, 1.0.0) - -######################################## -# -# Declarations -# - -type accountsd_t; -type accountsd_exec_t; -dbus_system_domain(accountsd_t, accountsd_exec_t) - -type accountsd_var_lib_t; -files_type(accountsd_var_lib_t) - -######################################## -# -# accountsd local policy -# - -allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; -allow accountsd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir }) - -kernel_read_kernel_sysctls(accountsd_t) - -corecmd_exec_bin(accountsd_t) - -files_read_usr_files(accountsd_t) -files_read_mnt_files(accountsd_t) - -fs_list_inotifyfs(accountsd_t) -fs_read_noxattr_fs_files(accountsd_t) - -auth_use_nsswitch(accountsd_t) -auth_read_shadow(accountsd_t) - -miscfiles_read_localization(accountsd_t) - -logging_send_syslog_msg(accountsd_t) -logging_set_loginuid(accountsd_t) - -userdom_read_user_tmp_files(accountsd_t) -userdom_read_user_home_content_files(accountsd_t) - -usermanage_domtrans_useradd(accountsd_t) -usermanage_domtrans_passwd(accountsd_t) - -optional_policy(` - consolekit_read_log(accountsd_t) -') - -optional_policy(` - policykit_dbus_chat(accountsd_t) -') diff --git a/policy/modules/services/afs.fc b/policy/modules/services/afs.fc deleted file mode 100644 index eaea13887..000000000 --- a/policy/modules/services/afs.fc +++ /dev/null @@ -1,32 +0,0 @@ -/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) -/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) - -/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) -/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) -/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) -/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) -/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) - -/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0) -/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0) -/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0) -/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0) - -/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0) - -/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0) - -/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) - -/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) - -/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) - -/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) - -/vicepa gen_context(system_u:object_r:afs_files_t,s0) -/vicepb gen_context(system_u:object_r:afs_files_t,s0) -/vicepc gen_context(system_u:object_r:afs_files_t,s0) diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if deleted file mode 100644 index 8559cdc6d..000000000 --- a/policy/modules/services/afs.if +++ /dev/null @@ -1,109 +0,0 @@ -## Andrew Filesystem server - -######################################## -## -## Execute a domain transition to run the -## afs client. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`afs_domtrans',` - gen_require(` - type afs_t, afs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, afs_exec_t, afs_t) -') - -######################################## -## -## Read and write afs client UDP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`afs_rw_udp_sockets',` - gen_require(` - type afs_t; - ') - - allow $1 afs_t:udp_socket { read write }; -') - -######################################## -## -## read/write afs cache files -## -## -## -## Domain allowed access. -## -## -# -interface(`afs_rw_cache',` - gen_require(` - type afs_cache_t; - ') - - files_search_var($1) - allow $1 afs_cache_t:file { read write }; -') - -######################################## -## -## Execute afs server in the afs domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`afs_initrc_domtrans',` - gen_require(` - type afs_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, afs_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an afs environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the afs domain. -## -## -## -# -interface(`afs_admin',` - gen_require(` - type afs_t, afs_initrc_exec_t; - ') - - allow $1 afs_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, afs_t, afs_t) - - # Allow afs_admin to restart the afs service - afs_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 afs_initrc_exec_t system_r; - allow $2 system_r; - -') diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te deleted file mode 100644 index a496fdeaf..000000000 --- a/policy/modules/services/afs.te +++ /dev/null @@ -1,355 +0,0 @@ -policy_module(afs, 1.7.0) - -######################################## -# -# Declarations -# - -type afs_t; -type afs_exec_t; -init_daemon_domain(afs_t, afs_exec_t) - -type afs_bosserver_t; -type afs_bosserver_exec_t; -init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) - -type afs_cache_t; -files_type(afs_cache_t) - -type afs_config_t; -files_type(afs_config_t) - -type afs_dbdir_t; -files_type(afs_dbdir_t) - -# exported files -type afs_files_t; -files_type(afs_files_t) - -type afs_fsserver_t; -type afs_fsserver_exec_t; -domain_type(afs_fsserver_t) -domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t) -role system_r types afs_fsserver_t; - -type afs_initrc_exec_t; -init_script_file(afs_initrc_exec_t) - -type afs_ka_db_t; -files_type(afs_ka_db_t) - -type afs_kaserver_t; -type afs_kaserver_exec_t; -domain_type(afs_kaserver_t) -domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t) -role system_r types afs_kaserver_t; - -type afs_logfile_t; -logging_log_file(afs_logfile_t) - -type afs_pt_db_t; -files_type(afs_pt_db_t) - -type afs_ptserver_t; -type afs_ptserver_exec_t; -domain_type(afs_ptserver_t) -domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t) -role system_r types afs_ptserver_t; - -type afs_vl_db_t; -files_type(afs_vl_db_t) - -type afs_vlserver_t; -type afs_vlserver_exec_t; -domain_type(afs_vlserver_t) -domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t) -role system_r types afs_vlserver_t; - -######################################## -# -# afs client local policy -# - -allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; -allow afs_t self:process { setsched signal }; -allow afs_t self:udp_socket create_socket_perms; -allow afs_t self:fifo_file rw_file_perms; -allow afs_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(afs_t, afs_cache_t, afs_cache_t) -manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t) -files_var_filetrans(afs_t, afs_cache_t, { file dir }) - -kernel_rw_afs_state(afs_t) - -corenet_all_recvfrom_unlabeled(afs_t) -corenet_all_recvfrom_netlabel(afs_t) -corenet_tcp_sendrecv_generic_if(afs_t) -corenet_udp_sendrecv_generic_if(afs_t) -corenet_tcp_sendrecv_generic_node(afs_t) -corenet_udp_sendrecv_generic_node(afs_t) -corenet_tcp_sendrecv_all_ports(afs_t) -corenet_udp_sendrecv_all_ports(afs_t) -corenet_udp_bind_generic_node(afs_t) - -files_mounton_mnt(afs_t) -files_read_etc_files(afs_t) -files_read_usr_files(afs_t) -files_rw_etc_runtime_files(afs_t) - -fs_getattr_xattr_fs(afs_t) -fs_mount_nfs(afs_t) -fs_read_nfs_symlinks(afs_t) - -logging_send_syslog_msg(afs_t) - -miscfiles_read_localization(afs_t) - -sysnet_dns_name_resolve(afs_t) - -######################################## -# -# AFS bossserver local policy -# - -allow afs_bosserver_t self:process { setsched signal_perms }; -allow afs_bosserver_t self:tcp_socket create_stream_socket_perms; -allow afs_bosserver_t self:udp_socket create_socket_perms; - -can_exec(afs_bosserver_t, afs_bosserver_exec_t) - -manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) -manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) - -allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; - -allow afs_bosserver_t afs_fsserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) - -allow afs_bosserver_t afs_kaserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t) - -allow afs_bosserver_t afs_logfile_t:file manage_file_perms; -allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms; - -allow afs_bosserver_t afs_ptserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t) - -allow afs_bosserver_t afs_vlserver_t:process signal_perms; -domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) - -kernel_read_kernel_sysctls(afs_bosserver_t) - -corenet_all_recvfrom_unlabeled(afs_bosserver_t) -corenet_all_recvfrom_netlabel(afs_bosserver_t) -corenet_tcp_sendrecv_generic_if(afs_bosserver_t) -corenet_udp_sendrecv_generic_if(afs_bosserver_t) -corenet_tcp_sendrecv_generic_node(afs_bosserver_t) -corenet_udp_sendrecv_generic_node(afs_bosserver_t) -corenet_tcp_sendrecv_all_ports(afs_bosserver_t) -corenet_udp_sendrecv_all_ports(afs_bosserver_t) -corenet_udp_bind_generic_node(afs_bosserver_t) -corenet_udp_bind_afs_bos_port(afs_bosserver_t) -corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) - -files_read_etc_files(afs_bosserver_t) -files_list_home(afs_bosserver_t) -files_read_usr_files(afs_bosserver_t) - -miscfiles_read_localization(afs_bosserver_t) - -seutil_read_config(afs_bosserver_t) - -sysnet_read_config(afs_bosserver_t) - -######################################## -# -# fileserver local policy -# - -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; -dontaudit afs_fsserver_t self:capability fsetid; -allow afs_fsserver_t self:process { setsched signal_perms }; -allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; -allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; -allow afs_fsserver_t self:udp_socket create_socket_perms; - -read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -allow afs_fsserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) - -allow afs_fsserver_t afs_files_t:filesystem getattr; -manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t) -filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file }) - -can_exec(afs_fsserver_t, afs_fsserver_exec_t) - -manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t) - -kernel_read_system_state(afs_fsserver_t) -kernel_read_kernel_sysctls(afs_fsserver_t) - -corenet_tcp_sendrecv_generic_if(afs_fsserver_t) -corenet_udp_sendrecv_generic_if(afs_fsserver_t) -corenet_tcp_sendrecv_generic_node(afs_fsserver_t) -corenet_udp_sendrecv_generic_node(afs_fsserver_t) -corenet_tcp_sendrecv_all_ports(afs_fsserver_t) -corenet_udp_sendrecv_all_ports(afs_fsserver_t) -corenet_all_recvfrom_unlabeled(afs_fsserver_t) -corenet_all_recvfrom_netlabel(afs_fsserver_t) -corenet_tcp_bind_generic_node(afs_fsserver_t) -corenet_udp_bind_generic_node(afs_fsserver_t) -corenet_tcp_bind_afs_fs_port(afs_fsserver_t) -corenet_udp_bind_afs_fs_port(afs_fsserver_t) -corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) - -files_read_etc_files(afs_fsserver_t) -files_read_etc_runtime_files(afs_fsserver_t) -files_list_home(afs_fsserver_t) -files_read_usr_files(afs_fsserver_t) -files_list_pids(afs_fsserver_t) -files_dontaudit_search_mnt(afs_fsserver_t) - -fs_getattr_xattr_fs(afs_fsserver_t) - -term_dontaudit_use_console(afs_fsserver_t) - -init_dontaudit_use_script_fds(afs_fsserver_t) - -logging_send_syslog_msg(afs_fsserver_t) - -miscfiles_read_localization(afs_fsserver_t) - -seutil_read_config(afs_fsserver_t) - -sysnet_read_config(afs_fsserver_t) - -userdom_dontaudit_use_user_terminals(afs_fsserver_t) - -######################################## -# -# kaserver local policy -# - -allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_kaserver_t self:tcp_socket create_stream_socket_perms; -allow afs_kaserver_t self:udp_socket create_socket_perms; - -manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t) - -manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t) -filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file) - -manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) - -kernel_read_kernel_sysctls(afs_kaserver_t) - -corenet_all_recvfrom_unlabeled(afs_kaserver_t) -corenet_all_recvfrom_netlabel(afs_kaserver_t) -corenet_tcp_sendrecv_generic_if(afs_kaserver_t) -corenet_udp_sendrecv_generic_if(afs_kaserver_t) -corenet_tcp_sendrecv_generic_node(afs_kaserver_t) -corenet_udp_sendrecv_generic_node(afs_kaserver_t) -corenet_tcp_sendrecv_all_ports(afs_kaserver_t) -corenet_udp_sendrecv_all_ports(afs_kaserver_t) -corenet_udp_bind_generic_node(afs_kaserver_t) -corenet_udp_bind_afs_ka_port(afs_kaserver_t) -corenet_udp_bind_kerberos_port(afs_kaserver_t) -corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t) -corenet_sendrecv_kerberos_server_packets(afs_kaserver_t) - -files_read_etc_files(afs_kaserver_t) -files_list_home(afs_kaserver_t) -files_read_usr_files(afs_kaserver_t) - -miscfiles_read_localization(afs_kaserver_t) - -seutil_read_config(afs_kaserver_t) - -sysnet_read_config(afs_kaserver_t) - -userdom_dontaudit_use_user_terminals(afs_kaserver_t) - -######################################## -# -# ptserver local policy -# - -allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; -allow afs_ptserver_t self:udp_socket create_socket_perms; - -read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) -allow afs_ptserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) - -manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) -filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) - -corenet_all_recvfrom_unlabeled(afs_ptserver_t) -corenet_all_recvfrom_netlabel(afs_ptserver_t) -corenet_tcp_sendrecv_generic_if(afs_ptserver_t) -corenet_udp_sendrecv_generic_if(afs_ptserver_t) -corenet_tcp_sendrecv_generic_node(afs_ptserver_t) -corenet_udp_sendrecv_generic_node(afs_ptserver_t) -corenet_tcp_sendrecv_all_ports(afs_ptserver_t) -corenet_udp_sendrecv_all_ports(afs_ptserver_t) -corenet_udp_bind_generic_node(afs_ptserver_t) -corenet_udp_bind_afs_pt_port(afs_ptserver_t) -corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) - -files_read_etc_files(afs_ptserver_t) - -miscfiles_read_localization(afs_ptserver_t) - -sysnet_read_config(afs_ptserver_t) - -userdom_dontaudit_use_user_terminals(afs_ptserver_t) - -######################################## -# -# vlserver local policy -# - -allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; -allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; -allow afs_vlserver_t self:udp_socket create_socket_perms; - -read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) -allow afs_vlserver_t afs_config_t:dir list_dir_perms; - -manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) -manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) - -manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) -filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) - -corenet_all_recvfrom_unlabeled(afs_vlserver_t) -corenet_all_recvfrom_netlabel(afs_vlserver_t) -corenet_tcp_sendrecv_generic_if(afs_vlserver_t) -corenet_udp_sendrecv_generic_if(afs_vlserver_t) -corenet_tcp_sendrecv_generic_node(afs_vlserver_t) -corenet_udp_sendrecv_generic_node(afs_vlserver_t) -corenet_tcp_sendrecv_all_ports(afs_vlserver_t) -corenet_udp_sendrecv_all_ports(afs_vlserver_t) -corenet_udp_bind_generic_node(afs_vlserver_t) -corenet_udp_bind_afs_vl_port(afs_vlserver_t) -corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t) - -files_read_etc_files(afs_vlserver_t) - -miscfiles_read_localization(afs_vlserver_t) - -sysnet_read_config(afs_vlserver_t) - -userdom_dontaudit_use_user_terminals(afs_vlserver_t) diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc deleted file mode 100644 index 069518f9e..000000000 --- a/policy/modules/services/aiccu.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0) -/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) - -/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) - -/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if deleted file mode 100644 index 184c9a80b..000000000 --- a/policy/modules/services/aiccu.if +++ /dev/null @@ -1,95 +0,0 @@ -## Automatic IPv6 Connectivity Client Utility. - -######################################## -## -## Execute a domain transition to run aiccu. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aiccu_domtrans',` - gen_require(` - type aiccu_t, aiccu_exec_t; - ') - - domtrans_pattern($1, aiccu_exec_t, aiccu_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute aiccu server in the aiccu domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aiccu_initrc_domtrans',` - gen_require(` - type aiccu_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, aiccu_initrc_exec_t) -') - -######################################## -## -## Read aiccu PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`aiccu_read_pid_files',` - gen_require(` - type aiccu_var_run_t; - ') - - allow $1 aiccu_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an aiccu environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`aiccu_admin',` - gen_require(` - type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; - type aiccu_var_run_t; - ') - - allow $1 aiccu_t:process { ptrace signal_perms }; - ps_process_pattern($1, aiccu_t) - - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, aiccu_etc_t) - files_list_etc($1) - - admin_pattern($1, aiccu_var_run_t) - files_list_pids($1) -') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te deleted file mode 100644 index 6d685baf3..000000000 --- a/policy/modules/services/aiccu.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(aiccu, 1.0.0) - -######################################## -# -# Declarations -# - -type aiccu_t; -type aiccu_exec_t; -init_daemon_domain(aiccu_t, aiccu_exec_t) - -type aiccu_initrc_exec_t; -init_script_file(aiccu_initrc_exec_t) - -type aiccu_etc_t; -files_config_file(aiccu_etc_t) - -type aiccu_var_run_t; -files_pid_file(aiccu_var_run_t) - -######################################## -# -# aiccu local policy -# - -allow aiccu_t self:capability { kill net_admin net_raw }; -dontaudit aiccu_t self:capability sys_tty_config; -allow aiccu_t self:process signal; -allow aiccu_t self:fifo_file rw_fifo_file_perms; -allow aiccu_t self:netlink_route_socket create_netlink_socket_perms; -allow aiccu_t self:tcp_socket create_stream_socket_perms; -allow aiccu_t self:tun_socket create_socket_perms; -allow aiccu_t self:udp_socket create_stream_socket_perms; -allow aiccu_t self:unix_stream_socket create_stream_socket_perms; - -allow aiccu_t aiccu_etc_t:file read_file_perms; - -manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) - -kernel_read_system_state(aiccu_t) - -corecmd_exec_shell(aiccu_t) - -corenet_all_recvfrom_netlabel(aiccu_t) -corenet_all_recvfrom_unlabeled(aiccu_t) -corenet_tcp_sendrecv_generic_if(aiccu_t) -corenet_tcp_sendrecv_generic_node(aiccu_t) -corenet_tcp_sendrecv_generic_port(aiccu_t) -corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) -corenet_tcp_bind_generic_node(aiccu_t) -corenet_tcp_connect_sixxsconfig_port(aiccu_t) -corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) - -corenet_rw_tun_tap_dev(aiccu_t) - -domain_use_interactive_fds(aiccu_t) - -dev_read_rand(aiccu_t) -dev_read_urand(aiccu_t) - -files_read_etc_files(aiccu_t) - -logging_send_syslog_msg(aiccu_t) - -miscfiles_read_localization(aiccu_t) - -optional_policy(` - modutils_domtrans_insmod(aiccu_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(aiccu_t) - sysnet_dns_name_resolve(aiccu_t) -') diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc deleted file mode 100644 index 7798464d1..000000000 --- a/policy/modules/services/aide.fc +++ /dev/null @@ -1,6 +0,0 @@ -/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh) - -/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) - -/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) -/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if deleted file mode 100644 index 838d25b3a..000000000 --- a/policy/modules/services/aide.if +++ /dev/null @@ -1,71 +0,0 @@ -## Aide filesystem integrity checker - -######################################## -## -## Execute aide in the aide domain -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aide_domtrans',` - gen_require(` - type aide_t, aide_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, aide_exec_t, aide_t) -') - -######################################## -## -## Execute aide programs in the AIDE domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the AIDE domain. -## -## -# -interface(`aide_run',` - gen_require(` - type aide_t; - ') - - aide_domtrans($1) - role $2 types aide_t; -') - -######################################## -## -## All of the rules required to administrate -## an aide environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`aide_admin',` - gen_require(` - type aide_t, aide_db_t, aide_log_t; - ') - - allow $1 aide_t:process { ptrace signal_perms }; - ps_process_pattern($1, aide_t) - - files_list_etc($1) - admin_pattern($1, aide_db_t) - - logging_list_logs($1) - admin_pattern($1, aide_log_t) -') diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te deleted file mode 100644 index 2509dd2c6..000000000 --- a/policy/modules/services/aide.te +++ /dev/null @@ -1,42 +0,0 @@ -policy_module(aide, 1.6.0) - -######################################## -# -# Declarations -# - -type aide_t; -type aide_exec_t; -application_domain(aide_t, aide_exec_t) - -# log files -type aide_log_t; -logging_log_file(aide_log_t) - -# aide database -type aide_db_t; -files_type(aide_db_t) - -######################################## -# -# aide local policy -# - -allow aide_t self:capability { dac_override fowner }; - -# database actions -manage_files_pattern(aide_t, aide_db_t, aide_db_t) - -# logs -manage_files_pattern(aide_t, aide_log_t, aide_log_t) -logging_log_filetrans(aide_t, aide_log_t, file) - -files_read_all_files(aide_t) - -logging_send_audit_msgs(aide_t) -# AIDE can be configured to log to syslog -logging_send_syslog_msg(aide_t) - -seutil_use_newrole_fds(aide_t) - -userdom_use_user_terminals(aide_t) diff --git a/policy/modules/services/aisexec.fc b/policy/modules/services/aisexec.fc deleted file mode 100644 index 7b4f4b9ed..000000000 --- a/policy/modules/services/aisexec.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) - -/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0) - -/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0) - -/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) - -/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if deleted file mode 100644 index 0370dba10..000000000 --- a/policy/modules/services/aisexec.if +++ /dev/null @@ -1,106 +0,0 @@ -## Aisexec Cluster Engine - -######################################## -## -## Execute a domain transition to run aisexec. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`aisexec_domtrans',` - gen_require(` - type aisexec_t, aisexec_exec_t; - ') - - domtrans_pattern($1, aisexec_exec_t, aisexec_t) -') - -##################################### -## -## Connect to aisexec over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`aisexec_stream_connect',` - gen_require(` - type aisexec_t, aisexec_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) -') - -####################################### -## -## Allow the specified domain to read aisexec's log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`aisexec_read_log',` - gen_require(` - type aisexec_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) - read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) -') - -###################################### -## -## All of the rules required to administrate -## an aisexec environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the aisexecd domain. -## -## -## -# -interface(`aisexecd_admin',` - gen_require(` - type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; - type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; - type aisexec_initrc_exec_t; - ') - - allow $1 aisexec_t:process { ptrace signal_perms }; - ps_process_pattern($1, aisexec_t) - - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, aisexec_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, aisexec_var_log_t) - - files_list_pids($1) - admin_pattern($1, aisexec_var_run_t) - - files_list_tmp($1) - admin_pattern($1, aisexec_tmp_t) - - admin_pattern($1, aisexec_tmpfs_t) -') diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te deleted file mode 100644 index 50b9b48b0..000000000 --- a/policy/modules/services/aisexec.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(aisexec, 1.1.0) - -######################################## -# -# Declarations -# - -type aisexec_t; -type aisexec_exec_t; -init_daemon_domain(aisexec_t, aisexec_exec_t) - -type aisexec_initrc_exec_t; -init_script_file(aisexec_initrc_exec_t) - -type aisexec_tmp_t; -files_tmp_file(aisexec_tmp_t) - -type aisexec_tmpfs_t; -files_tmpfs_file(aisexec_tmpfs_t) - -type aisexec_var_lib_t; -files_type(aisexec_var_lib_t) - -type aisexec_var_log_t; -logging_log_file(aisexec_var_log_t) - -type aisexec_var_run_t; -files_pid_file(aisexec_var_run_t) - -######################################## -# -# aisexec local policy -# - -allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; -allow aisexec_t self:process { setrlimit setsched signal }; -allow aisexec_t self:fifo_file rw_fifo_file_perms; -allow aisexec_t self:sem create_sem_perms; -allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow aisexec_t self:unix_dgram_socket create_socket_perms; -allow aisexec_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) -manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) -files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir }) - -manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) -manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) -fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) - -manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) -files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file }) - -manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) -logging_log_filetrans(aisexec_t, aisexec_var_log_t, { sock_file file }) - -manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) - -kernel_read_system_state(aisexec_t) - -corecmd_exec_bin(aisexec_t) - -corenet_udp_bind_netsupport_port(aisexec_t) -corenet_tcp_bind_reserved_port(aisexec_t) -corenet_udp_bind_cluster_port(aisexec_t) - -dev_read_urand(aisexec_t) - -files_manage_mounttab(aisexec_t) - -auth_use_nsswitch(aisexec_t) - -init_rw_script_tmp_files(aisexec_t) - -logging_send_syslog_msg(aisexec_t) - -miscfiles_read_localization(aisexec_t) - -userdom_rw_unpriv_user_semaphores(aisexec_t) -userdom_rw_unpriv_user_shared_mem(aisexec_t) - -optional_policy(` - ccs_stream_connect(aisexec_t) -') - -optional_policy(` - # to communication with RHCS - rhcs_rw_dlm_controld_semaphores(aisexec_t) - - rhcs_rw_fenced_semaphores(aisexec_t) - - rhcs_rw_gfs_controld_semaphores(aisexec_t) - rhcs_rw_gfs_controld_shm(aisexec_t) - - rhcs_rw_groupd_semaphores(aisexec_t) - rhcs_rw_groupd_shm(aisexec_t) -') diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc deleted file mode 100644 index d96fdfa6c..000000000 --- a/policy/modules/services/amavis.fc +++ /dev/null @@ -1,18 +0,0 @@ - -/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) -/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) -/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) - -/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) -/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) - -ifdef(`distro_debian',` -/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) -') - -/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) -/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) -/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0) -/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) -/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) -/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if deleted file mode 100644 index e31d92a45..000000000 --- a/policy/modules/services/amavis.if +++ /dev/null @@ -1,261 +0,0 @@ -## -## Daemon that interfaces mail transfer agents and content -## checkers, such as virus scanners. -## - -######################################## -## -## Execute a domain transition to run amavis. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amavis_domtrans',` - gen_require(` - type amavis_t, amavis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amavis_exec_t, amavis_t) -') - -######################################## -## -## Execute amavis server in the amavis domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`amavis_initrc_domtrans',` - gen_require(` - type amavis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, amavis_initrc_exec_t) -') - -######################################## -## -## Read amavis spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_read_spool_files',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, amavis_spool_t, amavis_spool_t) -') - -######################################## -## -## Manage amavis spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_manage_spool_files',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t) - manage_files_pattern($1, amavis_spool_t, amavis_spool_t) -') - -######################################## -## -## Create objects in the amavis spool directories -## with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -# -interface(`amavis_spool_filetrans',` - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, amavis_spool_t, $2, $3) -') - -######################################## -## -## Search amavis lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_search_lib',` - gen_require(` - type amavis_var_lib_t; - ') - - allow $1 amavis_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read amavis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_read_lib_files',` - gen_require(` - type amavis_var_lib_t; - ') - - read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - allow $1 amavis_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Create, read, write, and delete -## amavis lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_manage_lib_files',` - gen_require(` - type amavis_var_lib_t; - ') - - manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Set the attributes of amavis pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_setattr_pid_files',` - gen_require(` - type amavis_var_run_t; - ') - - allow $1 amavis_var_run_t:file setattr_file_perms; - files_search_pids($1) -') - -######################################## -## -## Create of amavis pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`amavis_create_pid_files',` - gen_require(` - type amavis_var_run_t; - ') - - allow $1 amavis_var_run_t:file create_file_perms; - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an amavis environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`amavis_admin',` - gen_require(` - type amavis_t, amavis_tmp_t, amavis_var_log_t; - type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; - type amavis_etc_t, amavis_quarantine_t; - type amavis_initrc_exec_t; - ') - - allow $1 amavis_t:process { ptrace signal_perms }; - ps_process_pattern($1, amavis_t) - - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, amavis_etc_t) - - admin_pattern($1, amavis_quarantine_t) - - files_list_spool($1) - admin_pattern($1, amavis_spool_t) - - files_list_tmp($1) - admin_pattern($1, amavis_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, amavis_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, amavis_var_log_t) - - files_list_pids($1) - admin_pattern($1, amavis_var_run_t) -') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te deleted file mode 100644 index d07d33b27..000000000 --- a/policy/modules/services/amavis.te +++ /dev/null @@ -1,194 +0,0 @@ -policy_module(amavis, 1.12.0) - -######################################## -# -# Declarations -# - -type amavis_t; -type amavis_exec_t; -domain_type(amavis_t) -init_daemon_domain(amavis_t, amavis_exec_t) - -# configuration files -type amavis_etc_t; -files_config_file(amavis_etc_t) - -type amavis_initrc_exec_t; -init_script_file(amavis_initrc_exec_t) - -# pid files -type amavis_var_run_t; -files_pid_file(amavis_var_run_t) - -# var/lib files -type amavis_var_lib_t; -files_type(amavis_var_lib_t) - -# log files -type amavis_var_log_t; -logging_log_file(amavis_var_log_t) - -# tmp files -type amavis_tmp_t; -files_tmp_file(amavis_tmp_t) - -# virus quarantine -type amavis_quarantine_t; -files_type(amavis_quarantine_t) - -type amavis_spool_t; -files_type(amavis_spool_t) - -######################################## -# -# amavis local policy -# - -allow amavis_t self:capability { kill chown dac_override setgid setuid }; -dontaudit amavis_t self:capability sys_tty_config; -allow amavis_t self:process { signal sigchld sigkill signull }; -allow amavis_t self:fifo_file rw_fifo_file_perms; -allow amavis_t self:unix_stream_socket create_stream_socket_perms; -allow amavis_t self:unix_dgram_socket create_socket_perms; -allow amavis_t self:tcp_socket { listen accept }; -allow amavis_t self:netlink_route_socket r_netlink_socket_perms; - -# configuration files -allow amavis_t amavis_etc_t:dir list_dir_perms; -read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) -read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) - -can_exec(amavis_t, amavis_exec_t) - -# mail quarantine -manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) -manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) -manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t) - -# Spool Files -manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) -files_search_spool(amavis_t) - -# tmp files -manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) -allow amavis_t amavis_tmp_t:dir setattr_dir_perms; -files_tmp_filetrans(amavis_t, amavis_tmp_t, file) - -# var/lib files for amavis -manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -files_search_var_lib(amavis_t) - -# log files -allow amavis_t amavis_var_log_t:dir setattr_dir_perms; -manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) -manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) -logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) - -# pid file -manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(amavis_t) -# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... -kernel_dontaudit_list_proc(amavis_t) -kernel_dontaudit_read_proc_symlinks(amavis_t) -kernel_dontaudit_read_system_state(amavis_t) - -# find perl -corecmd_exec_bin(amavis_t) -corecmd_exec_shell(amavis_t) - -corenet_all_recvfrom_unlabeled(amavis_t) -corenet_all_recvfrom_netlabel(amavis_t) -corenet_tcp_sendrecv_generic_if(amavis_t) -corenet_tcp_sendrecv_generic_node(amavis_t) -corenet_tcp_bind_generic_node(amavis_t) -corenet_udp_bind_generic_node(amavis_t) -# amavis uses well-defined ports -corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) -corenet_tcp_sendrecv_amavisd_send_port(amavis_t) -# just the other side not. ;-) -corenet_tcp_sendrecv_all_ports(amavis_t) -# connect to backchannel port -corenet_tcp_connect_amavisd_send_port(amavis_t) -# bind to incoming port -corenet_tcp_bind_amavisd_recv_port(amavis_t) -corenet_udp_bind_generic_port(amavis_t) -corenet_dontaudit_udp_bind_all_ports(amavis_t) -corenet_tcp_connect_razor_port(amavis_t) - -dev_read_rand(amavis_t) -dev_read_urand(amavis_t) - -domain_use_interactive_fds(amavis_t) - -files_read_etc_files(amavis_t) -files_read_etc_runtime_files(amavis_t) -files_read_usr_files(amavis_t) - -fs_getattr_xattr_fs(amavis_t) - -auth_dontaudit_read_shadow(amavis_t) - -# uses uptime which reads utmp - redhat bug 561383 -init_read_utmp(amavis_t) -init_stream_connect_script(amavis_t) - -logging_send_syslog_msg(amavis_t) - -miscfiles_read_generic_certs(amavis_t) -miscfiles_read_localization(amavis_t) - -sysnet_dns_name_resolve(amavis_t) -sysnet_use_ldap(amavis_t) - -userdom_dontaudit_search_user_home_dirs(amavis_t) - -# Cron handling -cron_use_fds(amavis_t) -cron_use_system_job_fds(amavis_t) -cron_rw_pipes(amavis_t) - -mta_read_config(amavis_t) - -optional_policy(` - clamav_stream_connect(amavis_t) - clamav_domtrans_clamscan(amavis_t) -') - -optional_policy(` - dcc_domtrans_client(amavis_t) - dcc_stream_connect_dccifd(amavis_t) -') - -optional_policy(` - nslcd_stream_connect(amavis_t) -') - -optional_policy(` - postfix_read_config(amavis_t) -') - -optional_policy(` - pyzor_domtrans(amavis_t) - pyzor_signal(amavis_t) -') - -optional_policy(` - razor_domtrans(amavis_t) -') - -optional_policy(` - spamassassin_exec(amavis_t) - spamassassin_exec_client(amavis_t) - spamassassin_read_lib_files(amavis_t) -') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc deleted file mode 100644 index 9e39aa5be..000000000 --- a/policy/modules/services/apache.fc +++ /dev/null @@ -1,111 +0,0 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) - -/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) -/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) -/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) -/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - -/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - -/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) -/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - -/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - -/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - -ifdef(`distro_suse', ` -/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) -') - -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - -/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) - -/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - -/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - -ifdef(`distro_debian', ` -/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -') - -/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) - -/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) - -/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if deleted file mode 100644 index 648016736..000000000 --- a/policy/modules/services/apache.if +++ /dev/null @@ -1,1218 +0,0 @@ -## Apache web server - -######################################## -## -## Create a set of derived types for apache -## web content. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`apache_content_template',` - gen_require(` - attribute httpdcontent; - attribute httpd_exec_scripts; - attribute httpd_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; - ') - # allow write access to public file transfer - # services files. - gen_tunable(allow_httpd_$1_script_anon_write, false) - - #This type is for webpages - type httpd_$1_content_t, httpdcontent; # customizable - typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - files_type(httpd_$1_content_t) - - # This type is used for .htaccess files - type httpd_$1_htaccess_t; # customizable; - files_type(httpd_$1_htaccess_t) - - # Type that CGI scripts run as - type httpd_$1_script_t; - domain_type(httpd_$1_script_t) - role system_r types httpd_$1_script_t; - - # This type is used for executable scripts files - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) - domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - - type httpd_$1_rw_content_t, httpdcontent; # customizable - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) - - type httpd_$1_ra_content_t, httpdcontent; # customizable - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) - - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - - allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - - allow httpd_$1_script_t self:fifo_file rw_file_perms; - allow httpd_$1_script_t self:unix_stream_socket connectto; - - allow httpd_$1_script_t httpd_t:fifo_file write; - # apache should set close-on-exec - dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - - # Allow the script process to search the cgi directory, and users directory - allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; - - append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) - logging_search_logs(httpd_$1_script_t) - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - - allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - - kernel_dontaudit_search_sysctl(httpd_$1_script_t) - kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) - - dev_read_rand(httpd_$1_script_t) - dev_read_urand(httpd_$1_script_t) - - corecmd_exec_all_executables(httpd_$1_script_t) - - files_exec_etc_files(httpd_$1_script_t) - files_read_etc_files(httpd_$1_script_t) - files_search_home(httpd_$1_script_t) - - libs_exec_ld_so(httpd_$1_script_t) - libs_exec_lib_files(httpd_$1_script_t) - - miscfiles_read_fonts(httpd_$1_script_t) - miscfiles_read_public_files(httpd_$1_script_t) - - seutil_dontaudit_search_config(httpd_$1_script_t) - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t httpdcontent:file entrypoint; - - manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - can_exec(httpd_$1_script_t, httpdcontent) - ') - - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - - # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - - allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - ') - - tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; - - # privileged users run the script: - domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - - # apache runs the script: - domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - - allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; - - allow httpd_$1_script_t self:process { setsched signal_perms }; - allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; - - allow httpd_$1_script_t httpd_t:fd use; - allow httpd_$1_script_t httpd_t:process sigchld; - - kernel_read_system_state(httpd_$1_script_t) - - dev_read_urand(httpd_$1_script_t) - - fs_getattr_xattr_fs(httpd_$1_script_t) - - files_read_etc_runtime_files(httpd_$1_script_t) - files_read_usr_files(httpd_$1_script_t) - - libs_read_lib_files(httpd_$1_script_t) - - miscfiles_read_localization(httpd_$1_script_t) - ') - - optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_$1_script_t) - ') - ') - - optional_policy(` - postgresql_unpriv_client(httpd_$1_script_t) - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_$1_script_t) - ') - ') - - optional_policy(` - nscd_socket_use(httpd_$1_script_t) - ') -') - -######################################## -## -## Role access for apache -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`apache_role',` - gen_require(` - attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t; - type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t; - ') - - role $1 types httpd_user_script_t; - - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; - - manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) - manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) - relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - - manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - - manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - - manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - - tunable_policy(`httpd_enable_cgi',` - # If a user starts a script by hand it gets the proper context - domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($2, httpdcontent, httpd_user_script_t) - ') -') - -######################################## -## -## Read httpd user scripts executables. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_user_scripts',` - gen_require(` - type httpd_user_script_exec_t; - ') - - allow $1 httpd_user_script_exec_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) - read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) -') - -######################################## -## -## Read user web content. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_user_content',` - gen_require(` - type httpd_user_content_t; - ') - - allow $1 httpd_user_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) - read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) -') - -######################################## -## -## Transition to apache. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apache_domtrans',` - gen_require(` - type httpd_t, httpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_exec_t, httpd_t) -') - -####################################### -## -## Send a generic signal to apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_signal',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signal; -') - -######################################## -## -## Send a null signal to apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_signull',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signull; -') - -######################################## -## -## Send a SIGCHLD signal to apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_sigchld',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process sigchld; -') - -######################################## -## -## Inherit and use file descriptors from Apache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_use_fds',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:fd use; -') - -######################################## -## -## Do not audit attempts to read and write Apache -## unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_fifo_file',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write Apache -## unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_stream_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:unix_stream_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read and write Apache -## TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_tcp_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:tcp_socket { read write }; -') - -######################################## -## -## Create, read, write, and delete all web content. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_manage_all_content',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - manage_dirs_pattern($1, httpdcontent, httpdcontent) - manage_files_pattern($1, httpdcontent, httpdcontent) - manage_lnk_files_pattern($1, httpdcontent, httpdcontent) - - manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) -') - -######################################## -## -## Allow domain to set the attributes -## of the APACHE cache directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_setattr_cache_dirs',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:dir setattr; -') - -######################################## -## -## Allow the specified domain to list -## Apache cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_list_cache',` - gen_require(` - type httpd_cache_t; - ') - - list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## -## Allow the specified domain to read -## and write Apache cache files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_rw_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:file rw_file_perms; -') - -######################################## -## -## Allow the specified domain to delete -## Apache cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_delete_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - delete_files_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## -## Allow the specified domain to read -## apache configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_read_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir list_dir_perms; - read_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## -## Allow the specified domain to manage -## apache configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_manage_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, httpd_config_t, httpd_config_t) - manage_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## -## Execute the Apache helper program with -## a domain transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_domtrans_helper',` - gen_require(` - type httpd_helper_t, httpd_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) -') - -######################################## -## -## Execute the Apache helper program with -## a domain transition, and allow the -## specified role the Apache helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`apache_run_helper',` - gen_require(` - type httpd_helper_t; - ') - - apache_domtrans_helper($1) - role $2 types httpd_helper_t; -') - -######################################## -## -## Allow the specified domain to read -## apache log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_read_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - read_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## -## Allow the specified domain to append -## to apache log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_append_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - append_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## -## Do not audit attempts to append to the -## Apache logs. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_append_log',` - gen_require(` - type httpd_log_t; - ') - - dontaudit $1 httpd_log_t:file { getattr append }; -') - -######################################## -## -## Allow the specified domain to manage -## to apache log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_manage_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, httpd_log_t, httpd_log_t) - manage_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## -## Do not audit attempts to search Apache -## module directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_search_modules',` - gen_require(` - type httpd_modules_t; - ') - - dontaudit $1 httpd_modules_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to list -## the contents of the apache modules -## directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_list_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -') - -######################################## -## -## Allow the specified domain to execute -## apache modules. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_exec_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; - allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; - can_exec($1, httpd_modules_t) -') - -######################################## -## -## Execute a domain transition to run httpd_rotatelogs. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apache_domtrans_rotatelogs',` - gen_require(` - type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; - ') - - domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) -') - -######################################## -## -## Allow the specified domain to list -## apache system content files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_list_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - files_search_var($1) -') - -######################################## -## -## Allow the specified domain to manage -## apache system content files. -## -## -## -## Domain allowed access. -## -## -## -# -# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr -interface(`apache_manage_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -######################################## -## -## Execute all web scripts in the system -## script domain. -## -## -## -## Domain allowed to transition. -## -## -# -# cjp: this interface specifically added to allow -# sysadm_t to run scripts -interface(`apache_domtrans_sys_script',` - gen_require(` - attribute httpdcontent; - type httpd_sys_script_t; - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($1, httpdcontent, httpd_sys_script_t) - ') -') - -######################################## -## -## Do not audit attempts to read and write Apache -## system script unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_rw_sys_script_stream_sockets',` - gen_require(` - type httpd_sys_script_t; - ') - - dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; -') - -######################################## -## -## Execute all user scripts in the user -## script domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apache_domtrans_all_scripts',` - gen_require(` - attribute httpd_exec_scripts; - ') - - typeattribute $1 httpd_exec_scripts; -') - -######################################## -## -## Execute all user scripts in the user -## script domain. Add user script domains -## to the specified role. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access.. -## -## -# -interface(`apache_run_all_scripts',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_domains; - ') - - role $2 types httpd_script_domains; - apache_domtrans_all_scripts($1) -') - -######################################## -## -## Allow the specified domain to read -## apache squirrelmail data. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to append -## apache squirrelmail data. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_append_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file append_file_perms; -') - -######################################## -## -## Search apache system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_search_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - allow $1 httpd_sys_content_t:dir search_dir_perms; -') - -######################################## -## -## Read apache system content. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - allow $1 httpd_sys_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -######################################## -## -## Search apache system CGI directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_search_sys_scripts',` - gen_require(` - type httpd_sys_content_t, httpd_sys_script_exec_t; - ') - - search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) -') - -######################################## -## -## Create, read, write, and delete all user web content. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apache_manage_all_user_content',` - gen_require(` - attribute httpd_user_content_type, httpd_user_script_exec_type; - ') - - manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) - manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) - manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) - - manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) - manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) - manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) -') - -######################################## -## -## Search system script state directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_search_sys_script_state',` - gen_require(` - type httpd_sys_script_t; - ') - - allow $1 httpd_sys_script_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to read -## apache tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apache_read_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) -') - -######################################## -## -## Dontaudit attempts to write -## apache tmp files. -## -## -## -## Domain to not audit. -## -## -# -interface(`apache_dontaudit_write_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - dontaudit $1 httpd_tmp_t:file write_file_perms; -') - -######################################## -## -## Execute CGI in the specified domain. -## -## -##

-## Execute CGI in the specified domain. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain run the cgi script in. -## -## -## -## -## Type of the executable to enter the cgi domain. -## -## -# -interface(`apache_cgi_domain',` - gen_require(` - type httpd_t, httpd_sys_script_exec_t; - ') - - domtrans_pattern(httpd_t, $2, $1) - apache_search_sys_scripts($1) - - allow httpd_t $1:process signal; -') - -######################################## -## -## All of the rules required to administrate an apache environment -## -## -## -## Prefix of the domain. Example, user would be -## the prefix for the uder_t domain. -## -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`apache_admin',` - gen_require(` - attribute httpdcontent; - attribute httpd_script_exec_type; - - type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t; - type httpd_var_run_t, httpd_php_tmp_t; - type httpd_suexec_tmp_t, httpd_tmp_t; - type httpd_initrc_exec_t; - ') - - allow $1 httpd_t:process { getattr ptrace signal_perms }; - ps_process_pattern($1, httpd_t) - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; - allow $2 system_r; - - apache_manage_all_content($1) - miscfiles_manage_public_files($1) - - files_search_etc($1) - admin_pattern($1, httpd_config_t) - - logging_search_logs($1) - admin_pattern($1, httpd_log_t) - - admin_pattern($1, httpd_modules_t) - - admin_pattern($1, httpd_lock_t) - files_lock_filetrans($1, httpd_lock_t, file) - - admin_pattern($1, httpd_var_run_t) - files_pid_filetrans($1, httpd_var_run_t, file) - - kernel_search_proc($1) - allow $1 httpd_t:dir list_dir_perms; - - read_lnk_files_pattern($1, httpd_t, httpd_t) - - admin_pattern($1, httpdcontent) - admin_pattern($1, httpd_script_exec_type) - admin_pattern($1, httpd_tmp_t) - admin_pattern($1, httpd_php_tmp_t) - admin_pattern($1, httpd_suexec_tmp_t) -') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te deleted file mode 100644 index 5b02edb70..000000000 --- a/policy/modules/services/apache.te +++ /dev/null @@ -1,901 +0,0 @@ -policy_module(apache, 2.3.0) - -# -# NOTES: -# This policy will work with SUEXEC enabled as part of the Apache -# configuration. However, the user CGI scripts will run under the -# system_u:system_r:httpd_user_script_t. -# -# The user CGI scripts must be labeled with the httpd_user_script_exec_t -# type, and the directory containing the scripts should also be labeled -# with these types. This policy allows the user role to perform that -# relabeling. If it is desired that only admin role should be able to relabel -# the user CGI scripts, then relabel rule for user roles should be removed. -# - -######################################## -# -# Declarations -# - -## -##

-## Allow Apache to modify public files -## used for public file transfer services. Directories/Files must -## be labeled public_content_rw_t. -##

-## -gen_tunable(allow_httpd_anon_write, false) - -## -##

-## Allow Apache to use mod_auth_pam -##

-## -gen_tunable(allow_httpd_mod_auth_pam, false) - -## -##

-## Allow httpd to use built in scripting (usually php) -##

-## -gen_tunable(httpd_builtin_scripting, false) - -## -##

-## Allow HTTPD scripts and modules to connect to the network using TCP. -##

-## -gen_tunable(httpd_can_network_connect, false) - -## -##

-## Allow HTTPD scripts and modules to connect to databases over the network. -##

-## -gen_tunable(httpd_can_network_connect_db, false) - -## -##

-## Allow httpd to act as a relay -##

-## -gen_tunable(httpd_can_network_relay, false) - -## -##

-## Allow http daemon to send mail -##

-## -gen_tunable(httpd_can_sendmail, false) - -## -##

-## Allow Apache to communicate with avahi service via dbus -##

-## -gen_tunable(httpd_dbus_avahi, false) - -## -##

-## Allow httpd cgi support -##

-## -gen_tunable(httpd_enable_cgi, false) - -## -##

-## Allow httpd to act as a FTP server by -## listening on the ftp port. -##

-## -gen_tunable(httpd_enable_ftp_server, false) - -## -##

-## Allow httpd to read home directories -##

-## -gen_tunable(httpd_enable_homedirs, false) - -## -##

-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. -##

-## -gen_tunable(httpd_ssi_exec, false) - -## -##

-## Unify HTTPD to communicate with the terminal. -## Needed for entering the passphrase for certificates at -## the terminal. -##

-## -gen_tunable(httpd_tty_comm, false) - -## -##

-## Unify HTTPD handling of all content files. -##

-## -gen_tunable(httpd_unified, false) - -## -##

-## Allow httpd to access cifs file systems -##

-## -gen_tunable(httpd_use_cifs, false) - -## -##

-## Allow httpd to run gpg -##

-## -gen_tunable(httpd_use_gpg, false) - -## -##

-## Allow httpd to access nfs file systems -##

-## -gen_tunable(httpd_use_nfs, false) - -attribute httpdcontent; -attribute httpd_user_content_type; - -# domains that can exec all users scripts -attribute httpd_exec_scripts; - -attribute httpd_script_exec_type; -attribute httpd_user_script_exec_type; - -# user script domains -attribute httpd_script_domains; - -type httpd_t; -type httpd_exec_t; -init_daemon_domain(httpd_t, httpd_exec_t) -role system_r types httpd_t; - -# httpd_cache_t is the type given to the /var/cache/httpd -# directory and the files under that directory -type httpd_cache_t; -files_type(httpd_cache_t) - -# httpd_config_t is the type given to the configuration files -type httpd_config_t; -files_type(httpd_config_t) - -type httpd_helper_t; -type httpd_helper_exec_t; -domain_type(httpd_helper_t) -domain_entry_file(httpd_helper_t, httpd_helper_exec_t) -role system_r types httpd_helper_t; - -type httpd_initrc_exec_t; -init_script_file(httpd_initrc_exec_t) - -type httpd_lock_t; -files_lock_file(httpd_lock_t) - -type httpd_log_t; -logging_log_file(httpd_log_t) - -# httpd_modules_t is the type given to module files (libraries) -# that come with Apache /etc/httpd/modules and /usr/lib/apache -type httpd_modules_t; -files_type(httpd_modules_t) - -type httpd_php_t; -type httpd_php_exec_t; -domain_type(httpd_php_t) -domain_entry_file(httpd_php_t, httpd_php_exec_t) -role system_r types httpd_php_t; - -type httpd_php_tmp_t; -files_tmp_file(httpd_php_tmp_t) - -type httpd_rotatelogs_t; -type httpd_rotatelogs_exec_t; -init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) - -type httpd_squirrelmail_t; -files_type(httpd_squirrelmail_t) - -# SUEXEC runs user scripts as their own user ID -type httpd_suexec_t; #, daemon; -type httpd_suexec_exec_t; -domain_type(httpd_suexec_t) -domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -role system_r types httpd_suexec_t; - -type httpd_suexec_tmp_t; -files_tmp_file(httpd_suexec_tmp_t) - -# setup the system domain for system CGI scripts -apache_content_template(sys) -typealias httpd_sys_content_t alias ntop_http_content_t; - -type httpd_tmp_t; -files_tmp_file(httpd_tmp_t) - -type httpd_tmpfs_t; -files_tmpfs_file(httpd_tmpfs_t) - -apache_content_template(user) -ubac_constrained(httpd_user_script_t) -userdom_user_home_content(httpd_user_content_t) -userdom_user_home_content(httpd_user_htaccess_t) -userdom_user_home_content(httpd_user_script_exec_t) -userdom_user_home_content(httpd_user_ra_content_t) -userdom_user_home_content(httpd_user_rw_content_t) -typeattribute httpd_user_script_t httpd_script_domains; -typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; -typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; -typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; -typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; -typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; -typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; -typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; -typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; -typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; -typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; -typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; -typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; -typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; - -# for apache2 memory mapped files -type httpd_var_lib_t; -files_type(httpd_var_lib_t) - -type httpd_var_run_t; -files_pid_file(httpd_var_run_t) - -# File Type of squirrelmail attachments -type squirrelmail_spool_t; -files_tmp_file(squirrelmail_spool_t) - -optional_policy(` - prelink_object_file(httpd_modules_t) -') - -######################################## -# -# Apache server local policy -# - -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; -dontaudit httpd_t self:capability { net_admin sys_tty_config }; -allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow httpd_t self:fd use; -allow httpd_t self:sock_file read_sock_file_perms; -allow httpd_t self:fifo_file rw_fifo_file_perms; -allow httpd_t self:shm create_shm_perms; -allow httpd_t self:sem create_sem_perms; -allow httpd_t self:msgq create_msgq_perms; -allow httpd_t self:msg { send receive }; -allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow httpd_t self:tcp_socket create_stream_socket_perms; -allow httpd_t self:udp_socket create_socket_perms; - -# Allow httpd_t to put files in /var/cache/httpd etc -manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) - -# Allow the httpd_t to read the web servers config files -allow httpd_t httpd_config_t:dir list_dir_perms; -read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) -read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) - -can_exec(httpd_t, httpd_exec_t) - -allow httpd_t httpd_lock_t:file manage_file_perms; -files_lock_filetrans(httpd_t, httpd_lock_t, file) - -allow httpd_t httpd_log_t:dir setattr; -create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -# cjp: need to refine create interfaces to -# cut this back to add_name only -logging_log_filetrans(httpd_t, httpd_log_t, file) - -allow httpd_t httpd_modules_t:dir list_dir_perms; -mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - -apache_domtrans_rotatelogs(httpd_t) -# Apache-httpd needs to be able to send signals to the log rotate procs. -allow httpd_t httpd_rotatelogs_t:process signal_perms; - -manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) - -allow httpd_t httpd_suexec_exec_t:file read_file_perms; - -allow httpd_t httpd_sys_content_t:dir list_dir_perms; -read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) - -allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; - -manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) - -manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) -files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) - -setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) - -manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - -kernel_read_kernel_sysctls(httpd_t) -# for modules that want to access /proc/meminfo -kernel_read_system_state(httpd_t) - -corenet_all_recvfrom_unlabeled(httpd_t) -corenet_all_recvfrom_netlabel(httpd_t) -corenet_tcp_sendrecv_generic_if(httpd_t) -corenet_udp_sendrecv_generic_if(httpd_t) -corenet_tcp_sendrecv_generic_node(httpd_t) -corenet_udp_sendrecv_generic_node(httpd_t) -corenet_tcp_sendrecv_all_ports(httpd_t) -corenet_udp_sendrecv_all_ports(httpd_t) -corenet_tcp_bind_generic_node(httpd_t) -corenet_tcp_bind_http_port(httpd_t) -corenet_tcp_bind_http_cache_port(httpd_t) -corenet_sendrecv_http_server_packets(httpd_t) -# Signal self for shutdown -corenet_tcp_connect_http_port(httpd_t) - -dev_read_sysfs(httpd_t) -dev_read_rand(httpd_t) -dev_read_urand(httpd_t) -dev_rw_crypto(httpd_t) - -fs_getattr_all_fs(httpd_t) -fs_search_auto_mountpoints(httpd_t) - -auth_use_nsswitch(httpd_t) - -# execute perl -corecmd_exec_bin(httpd_t) -corecmd_exec_shell(httpd_t) - -domain_use_interactive_fds(httpd_t) - -files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) -files_list_mnt(httpd_t) -files_search_spool(httpd_t) -files_read_var_lib_files(httpd_t) -files_search_home(httpd_t) -files_getattr_home_dir(httpd_t) -# for modules that want to access /etc/mtab -files_read_etc_runtime_files(httpd_t) -# Allow httpd_t to have access to files such as nisswitch.conf -files_read_etc_files(httpd_t) -# for tomcat -files_read_var_lib_symlinks(httpd_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) - -libs_read_lib_files(httpd_t) - -logging_send_syslog_msg(httpd_t) - -miscfiles_read_localization(httpd_t) -miscfiles_read_fonts(httpd_t) -miscfiles_read_public_files(httpd_t) -miscfiles_read_generic_certs(httpd_t) - -seutil_dontaudit_search_config(httpd_t) - -userdom_use_unpriv_users_fds(httpd_t) - -tunable_policy(`allow_httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) -') - -ifdef(`TODO', ` -# -# We need optionals to be able to be within booleans to make this work -# -tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) -') -') - -tunable_policy(`httpd_can_network_connect',` - corenet_tcp_connect_all_ports(httpd_t) -') - -tunable_policy(`httpd_can_network_relay',` - # allow httpd to work as a relay - corenet_tcp_connect_gopher_port(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) - corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) - corenet_tcp_connect_memcache_port(httpd_t) - corenet_sendrecv_gopher_client_packets(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` - fs_nfs_domtrans(httpd_t, httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` - fs_cifs_domtrans(httpd_t, httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) -') - -tunable_policy(`httpd_enable_ftp_server',` - corenet_tcp_bind_ftp_port(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs',` - userdom_read_user_home_content_files(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_t) - fs_read_nfs_symlinks(httpd_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) -') - -tunable_policy(`httpd_can_sendmail',` - # allow httpd to connect to mail servers - corenet_tcp_connect_smtp_port(httpd_t) - corenet_sendrecv_smtp_client_packets(httpd_t) - mta_send_mail(httpd_t) -') - -tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) - allow httpd_sys_script_t httpd_t:fd use; - allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; - allow httpd_sys_script_t httpd_t:process sigchld; -') - -# When the admin starts the server, the server wants to access -# the TTY or PTY associated with the session. The httpd appears -# to run correctly without this permission, so the permission -# are dontaudited here. -tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) -') - -optional_policy(` - calamaris_read_www_files(httpd_t) -') - -optional_policy(` - ccs_read_config(httpd_t) -') - -optional_policy(` - cobbler_search_lib(httpd_t) -') - -optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -') - -optional_policy(` - cvs_read_data(httpd_t) -') - -optional_policy(` - daemontools_service_domain(httpd_t, httpd_exec_t) -') - - optional_policy(` - dbus_system_bus_client(httpd_t) - - tunable_policy(`httpd_dbus_avahi',` - avahi_dbus_chat(httpd_t) - ') -') - -optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` - gpg_domtrans(httpd_t) - ') -') - -optional_policy(` - kerberos_keytab_template(httpd, httpd_t) -') - -optional_policy(` - mailman_signal_cgi(httpd_t) - mailman_domtrans_cgi(httpd_t) - mailman_read_data_files(httpd_t) - # should have separate types for public and private archives - mailman_search_data(httpd_t) - mailman_read_archive(httpd_t) -') - -optional_policy(` - # Allow httpd to work with mysql - mysql_stream_connect(httpd_t) - mysql_rw_db_sockets(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_t) - ') -') - -optional_policy(` - nagios_read_config(httpd_t) -') - -optional_policy(` - openca_domtrans(httpd_t) - openca_signal(httpd_t) - openca_sigstop(httpd_t) - openca_kill(httpd_t) -') - -optional_policy(` - # Allow httpd to work with postgresql - postgresql_stream_connect(httpd_t) - postgresql_unpriv_client(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(httpd_t) -') - -optional_policy(` - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) -') - -optional_policy(` - udev_read_db(httpd_t) -') - -optional_policy(` - yam_read_content(httpd_t) -') - -######################################## -# -# Apache helper local policy -# - -domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) - -allow httpd_helper_t httpd_config_t:file read_file_perms; - -allow httpd_helper_t httpd_log_t:file append_file_perms; - -logging_send_syslog_msg(httpd_helper_t) - -userdom_use_user_terminals(httpd_helper_t) - -######################################## -# -# Apache PHP script local policy -# - -allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow httpd_php_t self:fd use; -allow httpd_php_t self:fifo_file rw_fifo_file_perms; -allow httpd_php_t self:sock_file read_sock_file_perms; -allow httpd_php_t self:unix_dgram_socket create_socket_perms; -allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; -allow httpd_php_t self:unix_dgram_socket sendto; -allow httpd_php_t self:unix_stream_socket connectto; -allow httpd_php_t self:shm create_shm_perms; -allow httpd_php_t self:sem create_sem_perms; -allow httpd_php_t self:msgq create_msgq_perms; -allow httpd_php_t self:msg { send receive }; - -domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) - -# allow php to read and append to apache logfiles -allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; - -manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) -manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) -files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) - -fs_search_auto_mountpoints(httpd_php_t) - -auth_use_nsswitch(httpd_php_t) - -libs_exec_lib_files(httpd_php_t) - -userdom_use_unpriv_users_fds(httpd_php_t) - -tunable_policy(`httpd_can_network_connect_db',` - corenet_tcp_connect_mysqld_port(httpd_t) - corenet_sendrecv_mysqld_client_packets(httpd_t) - corenet_tcp_connect_mysqld_port(httpd_sys_script_t) - corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) - corenet_tcp_connect_mysqld_port(httpd_suexec_t) - corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) - - corenet_tcp_connect_mssql_port(httpd_t) - corenet_sendrecv_mssql_client_packets(httpd_t) - corenet_tcp_connect_mssql_port(httpd_sys_script_t) - corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) - corenet_tcp_connect_mssql_port(httpd_suexec_t) - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -') - -optional_policy(` - mysql_stream_connect(httpd_php_t) - mysql_read_config(httpd_php_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_php_t) -') - -######################################## -# -# Apache suexec local policy -# - -allow httpd_suexec_t self:capability { setuid setgid }; -allow httpd_suexec_t self:process signal_perms; -allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; - -domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - -create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - -allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - -manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) -manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) -files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(httpd_suexec_t) -kernel_list_proc(httpd_suexec_t) -kernel_read_proc_symlinks(httpd_suexec_t) - -dev_read_urand(httpd_suexec_t) - -fs_search_auto_mountpoints(httpd_suexec_t) - -# for shell scripts -corecmd_exec_bin(httpd_suexec_t) -corecmd_exec_shell(httpd_suexec_t) - -files_read_etc_files(httpd_suexec_t) -files_read_usr_files(httpd_suexec_t) -files_dontaudit_search_pids(httpd_suexec_t) -files_search_home(httpd_suexec_t) - -auth_use_nsswitch(httpd_suexec_t) - -logging_search_logs(httpd_suexec_t) -logging_send_syslog_msg(httpd_suexec_t) - -miscfiles_read_localization(httpd_suexec_t) -miscfiles_read_public_files(httpd_suexec_t) - -tunable_policy(`httpd_can_network_connect',` - allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; - allow httpd_suexec_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_suexec_t) - corenet_all_recvfrom_netlabel(httpd_suexec_t) - corenet_tcp_sendrecv_generic_if(httpd_suexec_t) - corenet_udp_sendrecv_generic_if(httpd_suexec_t) - corenet_tcp_sendrecv_generic_node(httpd_suexec_t) - corenet_udp_sendrecv_generic_node(httpd_suexec_t) - corenet_tcp_sendrecv_all_ports(httpd_suexec_t) - corenet_udp_sendrecv_all_ports(httpd_suexec_t) - corenet_tcp_connect_all_ports(httpd_suexec_t) - corenet_sendrecv_all_client_packets(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_sys_script_t httpdcontent:file entrypoint; - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) - -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_suexec_t) - fs_read_nfs_symlinks(httpd_suexec_t) - fs_exec_nfs_files(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_suexec_t) - fs_read_cifs_symlinks(httpd_suexec_t) - fs_exec_cifs_files(httpd_suexec_t) -') - -optional_policy(` - mailman_domtrans_cgi(httpd_suexec_t) -') - -optional_policy(` - mta_stub(httpd_suexec_t) - - # apache should set close-on-exec - dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; -') - -######################################## -# -# Apache system script local policy -# - -allow httpd_sys_script_t self:process getsched; - -allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; - -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; -read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) - -kernel_read_kernel_sysctls(httpd_sys_script_t) - -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) - -# Should we add a boolean? -apache_domtrans_rotatelogs(httpd_sys_script_t) - -ifdef(`distro_redhat',` - allow httpd_sys_script_t httpd_log_t:file append_file_perms; -') - -tunable_policy(`httpd_can_sendmail',` - mta_send_mail(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_sys_script_t self:udp_socket create_socket_perms; - - corenet_tcp_bind_all_nodes(httpd_sys_script_t) - corenet_udp_bind_all_nodes(httpd_sys_script_t) - corenet_all_recvfrom_unlabeled(httpd_sys_script_t) - corenet_all_recvfrom_netlabel(httpd_sys_script_t) - corenet_tcp_sendrecv_all_if(httpd_sys_script_t) - corenet_udp_sendrecv_all_if(httpd_sys_script_t) - corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) - corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) - corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) - corenet_udp_sendrecv_all_ports(httpd_sys_script_t) - corenet_tcp_connect_all_ports(httpd_sys_script_t) - corenet_sendrecv_all_client_packets(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs',` - userdom_read_user_home_content_files(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_sys_script_t) - fs_read_nfs_symlinks(httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_sys_script_t) - fs_read_cifs_symlinks(httpd_sys_script_t) -') - -optional_policy(` - clamav_domtrans_clamscan(httpd_sys_script_t) -') - -optional_policy(` - mysql_stream_connect(httpd_sys_script_t) - mysql_rw_db_sockets(httpd_sys_script_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_sys_script_t) -') - -######################################## -# -# httpd_rotatelogs local policy -# - -allow httpd_rotatelogs_t self:capability dac_override; - -manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - -kernel_read_kernel_sysctls(httpd_rotatelogs_t) -kernel_dontaudit_list_proc(httpd_rotatelogs_t) -kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) - -files_read_etc_files(httpd_rotatelogs_t) - -logging_search_logs(httpd_rotatelogs_t) - -miscfiles_read_localization(httpd_rotatelogs_t) - -######################################## -# -# Unconfined script local policy -# - -optional_policy(` - type httpd_unconfined_script_t; - type httpd_unconfined_script_exec_t; - domain_type(httpd_unconfined_script_t) - domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) - domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) - unconfined_domain(httpd_unconfined_script_t) - - role system_r types httpd_unconfined_script_t; - allow httpd_t httpd_unconfined_script_t:process signal_perms; -') - -######################################## -# -# User content local policy -# - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_user_script_t httpdcontent:file entrypoint; -') - -# allow accessing files/dirs below the users home dir -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_t) - userdom_search_user_home_dirs(httpd_suexec_t) - userdom_search_user_home_dirs(httpd_user_script_t) -') diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc deleted file mode 100644 index cd07b96ee..000000000 --- a/policy/modules/services/apcupsd.fc +++ /dev/null @@ -1,15 +0,0 @@ -/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) - -/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - -/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - -/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) -/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - -/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) - -/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if deleted file mode 100644 index e342775eb..000000000 --- a/policy/modules/services/apcupsd.if +++ /dev/null @@ -1,168 +0,0 @@ -## APC UPS monitoring daemon - -######################################## -## -## Execute a domain transition to run apcupsd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apcupsd_domtrans',` - gen_require(` - type apcupsd_t, apcupsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) -') - -######################################## -## -## Execute apcupsd server in the apcupsd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apcupsd_initrc_domtrans',` - gen_require(` - type apcupsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) -') - -######################################## -## -## Read apcupsd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apcupsd_read_pid_files',` - gen_require(` - type apcupsd_var_run_t; - ') - - files_search_pids($1) - allow $1 apcupsd_var_run_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to read apcupsd's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`apcupsd_read_log',` - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to append -## apcupsd log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`apcupsd_append_log',` - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file append_file_perms; -') - -######################################## -## -## Execute a domain transition to run httpd_apcupsd_cgi_script. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apcupsd_cgi_script_domtrans',` - gen_require(` - type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; - ') - - optional_policy(` - apache_search_sys_content($1) - ') - - files_search_var($1) - domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) -') - -######################################## -## -## All of the rules required to administrate -## an apcupsd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the apcupsd domain. -## -## -## -# -interface(`apcupsd_admin',` - gen_require(` - type apcupsd_t, apcupsd_tmp_t; - type apcupsd_log_t, apcupsd_lock_t; - type apcupsd_var_run_t; - type apcupsd_initrc_exec_t; - ') - - allow $1 apcupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, apcupsd_t) - - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, apcupsd_lock_t) - - logging_list_logs($1) - admin_pattern($1, apcupsd_log_t) - - files_list_tmp($1) - admin_pattern($1, apcupsd_tmp_t) - - files_list_pids($1) - admin_pattern($1, apcupsd_var_run_t) -') diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te deleted file mode 100644 index d052bf0e1..000000000 --- a/policy/modules/services/apcupsd.te +++ /dev/null @@ -1,127 +0,0 @@ -policy_module(apcupsd, 1.8.0) - -######################################## -# -# Declarations -# - -type apcupsd_t; -type apcupsd_exec_t; -init_daemon_domain(apcupsd_t, apcupsd_exec_t) - -type apcupsd_lock_t; -files_lock_file(apcupsd_lock_t) - -type apcupsd_initrc_exec_t; -init_script_file(apcupsd_initrc_exec_t) - -type apcupsd_log_t; -logging_log_file(apcupsd_log_t) - -type apcupsd_tmp_t; -files_tmp_file(apcupsd_tmp_t) - -type apcupsd_var_run_t; -files_pid_file(apcupsd_var_run_t) - -######################################## -# -# apcupsd local policy -# - -allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; -allow apcupsd_t self:process signal; -allow apcupsd_t self:fifo_file rw_file_perms; -allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; -allow apcupsd_t self:tcp_socket create_stream_socket_perms; - -allow apcupsd_t apcupsd_lock_t:file manage_file_perms; -files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) - -allow apcupsd_t apcupsd_log_t:dir setattr; -manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -logging_log_filetrans(apcupsd_t, apcupsd_log_t, { file dir }) - -manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) -files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file) - -manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) -files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) - -kernel_read_system_state(apcupsd_t) - -corecmd_exec_bin(apcupsd_t) -corecmd_exec_shell(apcupsd_t) - -corenet_all_recvfrom_unlabeled(apcupsd_t) -corenet_all_recvfrom_netlabel(apcupsd_t) -corenet_tcp_sendrecv_generic_if(apcupsd_t) -corenet_tcp_sendrecv_generic_node(apcupsd_t) -corenet_tcp_sendrecv_all_ports(apcupsd_t) -corenet_tcp_bind_generic_node(apcupsd_t) -corenet_tcp_bind_apcupsd_port(apcupsd_t) -corenet_sendrecv_apcupsd_server_packets(apcupsd_t) -corenet_tcp_connect_apcupsd_port(apcupsd_t) - -dev_rw_generic_usb_dev(apcupsd_t) - -# Init script handling -domain_use_interactive_fds(apcupsd_t) - -files_read_etc_files(apcupsd_t) -files_search_locks(apcupsd_t) -# Creates /etc/nologin -files_manage_etc_runtime_files(apcupsd_t) -files_etc_filetrans_etc_runtime(apcupsd_t, file) - -# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805 -term_use_unallocated_ttys(apcupsd_t) - -#apcupsd runs shutdown, probably need a shutdown domain -init_rw_utmp(apcupsd_t) -init_telinit(apcupsd_t) - -logging_send_syslog_msg(apcupsd_t) - -miscfiles_read_localization(apcupsd_t) - -sysnet_dns_name_resolve(apcupsd_t) - -userdom_use_user_ttys(apcupsd_t) - -optional_policy(` - hostname_exec(apcupsd_t) -') - -optional_policy(` - mta_send_mail(apcupsd_t) - mta_system_content(apcupsd_tmp_t) -') - -optional_policy(` - shutdown_domtrans(apcupsd_t) -') - -######################################## -# -# apcupsd_cgi Declarations -# - -optional_policy(` - apache_content_template(apcupsd_cgi) - - allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) - corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) - corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) - - sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) -') diff --git a/policy/modules/services/apm.fc b/policy/modules/services/apm.fc deleted file mode 100644 index 012377717..000000000 --- a/policy/modules/services/apm.fc +++ /dev/null @@ -1,23 +0,0 @@ - -# -# /usr -# -/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) - -/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0) -/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0) -/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0) - -# -# /var -# -/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) - -/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) -/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) - -ifdef(`distro_suse',` -/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) -') diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if deleted file mode 100644 index 1ea99b29b..000000000 --- a/policy/modules/services/apm.if +++ /dev/null @@ -1,113 +0,0 @@ -## Advanced power management daemon - -######################################## -## -## Execute APM in the apm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apm_domtrans_client',` - gen_require(` - type apm_t, apm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apm_exec_t, apm_t) -') - -######################################## -## -## Use file descriptors for apmd. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_use_fds',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:fd use; -') - -######################################## -## -## Write to apmd unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_write_pipes',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:fifo_file write; -') - -######################################## -## -## Read and write to an apm unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_rw_stream_sockets',` - gen_require(` - type apmd_t; - ') - - allow $1 apmd_t:unix_stream_socket { read write }; -') - -######################################## -## -## Append to apm's log file. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_append_log',` - gen_require(` - type apmd_log_t; - ') - - logging_search_logs($1) - allow $1 apmd_log_t:file append; -') - -######################################## -## -## Connect to apmd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`apm_stream_connect',` - gen_require(` - type apmd_t, apmd_var_run_t; - ') - - files_search_pids($1) - allow $1 apmd_var_run_t:sock_file write; - allow $1 apmd_t:unix_stream_socket connectto; -') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te deleted file mode 100644 index 1c8c27e4d..000000000 --- a/policy/modules/services/apm.te +++ /dev/null @@ -1,232 +0,0 @@ -policy_module(apm, 1.11.0) - -######################################## -# -# Declarations -# -type apmd_t; -type apmd_exec_t; -init_daemon_domain(apmd_t, apmd_exec_t) - -type apm_t; -type apm_exec_t; -application_domain(apm_t, apm_exec_t) -role system_r types apm_t; - -type apmd_log_t; -logging_log_file(apmd_log_t) - -type apmd_tmp_t; -files_tmp_file(apmd_tmp_t) - -type apmd_var_run_t; -files_pid_file(apmd_var_run_t) - -ifdef(`distro_redhat',` - type apmd_lock_t; - files_lock_file(apmd_lock_t) -') - -ifdef(`distro_suse',` - type apmd_var_lib_t; - files_type(apmd_var_lib_t) -') - -######################################## -# -# apm client Local policy -# - -allow apm_t self:capability { dac_override sys_admin }; - -kernel_read_system_state(apm_t) - -dev_rw_apm_bios(apm_t) - -fs_getattr_xattr_fs(apm_t) - -term_use_all_terms(apm_t) - -domain_use_interactive_fds(apm_t) - -logging_send_syslog_msg(apm_t) - -######################################## -# -# apm daemon Local policy -# - -# mknod: controlling an orderly resume of PCMCIA requires creating device -# nodes 254,{0,1,2} for some reason. -allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; -allow apmd_t self:process { signal_perms getsession }; -allow apmd_t self:fifo_file rw_fifo_file_perms; -allow apmd_t self:unix_dgram_socket create_socket_perms; -allow apmd_t self:unix_stream_socket create_stream_socket_perms; - -allow apmd_t apmd_log_t:file manage_file_perms; -logging_log_filetrans(apmd_t, apmd_log_t, file) - -manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) -manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t) -files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir }) - -manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) -manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t) -files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(apmd_t) -kernel_rw_all_sysctls(apmd_t) -kernel_read_system_state(apmd_t) -kernel_write_proc_files(apmd_t) - -dev_read_realtime_clock(apmd_t) -dev_read_urand(apmd_t) -dev_rw_apm_bios(apmd_t) -dev_rw_sysfs(apmd_t) -dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive? -dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive? - -fs_dontaudit_list_tmpfs(apmd_t) -fs_getattr_all_fs(apmd_t) -fs_search_auto_mountpoints(apmd_t) -fs_dontaudit_getattr_all_files(apmd_t) # Excessive? -fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? -fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive? -fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive? - -selinux_search_fs(apmd_t) - -corecmd_exec_all_executables(apmd_t) - -domain_read_all_domains_state(apmd_t) -domain_dontaudit_ptrace_all_domains(apmd_t) -domain_use_interactive_fds(apmd_t) -domain_dontaudit_getattr_all_sockets(apmd_t) -domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive? -domain_dontaudit_list_all_domains_state(apmd_t) # Excessive? - -files_exec_etc_files(apmd_t) -files_read_etc_runtime_files(apmd_t) -files_dontaudit_getattr_all_files(apmd_t) # Excessive? -files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? -files_dontaudit_getattr_all_pipes(apmd_t) # Excessive? -files_dontaudit_getattr_all_sockets(apmd_t) # Excessive? - -init_domtrans_script(apmd_t) -init_rw_utmp(apmd_t) -init_telinit(apmd_t) - -libs_exec_ld_so(apmd_t) -libs_exec_lib_files(apmd_t) - -logging_send_syslog_msg(apmd_t) -logging_send_audit_msgs(apmd_t) - -miscfiles_read_localization(apmd_t) -miscfiles_read_hwdata(apmd_t) - -modutils_domtrans_insmod(apmd_t) -modutils_read_module_config(apmd_t) - -seutil_dontaudit_read_config(apmd_t) - -userdom_dontaudit_use_unpriv_user_fds(apmd_t) -userdom_dontaudit_search_user_home_dirs(apmd_t) -userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? - -ifdef(`distro_redhat',` - allow apmd_t apmd_lock_t:file manage_file_perms; - files_lock_filetrans(apmd_t, apmd_lock_t, file) - - can_exec(apmd_t, apmd_var_run_t) - - # ifconfig_exec_t needs to be run in its own domain for Red Hat - optional_policy(` - sysnet_domtrans_ifconfig(apmd_t) - ') - - optional_policy(` - iptables_domtrans(apmd_t) - ') - - optional_policy(` - netutils_domtrans(apmd_t) - ') - -',` - # for ifconfig which is run all the time - kernel_dontaudit_search_sysctl(apmd_t) -') - -ifdef(`distro_suse',` - manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) - manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) - files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file) -') - -optional_policy(` - automount_domtrans(apmd_t) -') - -optional_policy(` - clock_domtrans(apmd_t) - clock_rw_adjtime(apmd_t) -') - -optional_policy(` - cron_system_entry(apmd_t, apmd_exec_t) - cron_anacron_domtrans_system_job(apmd_t) -') - -optional_policy(` - dbus_system_bus_client(apmd_t) - - optional_policy(` - consolekit_dbus_chat(apmd_t) - ') - - optional_policy(` - networkmanager_dbus_chat(apmd_t) - ') -') - -optional_policy(` - logrotate_use_fds(apmd_t) -') - -optional_policy(` - mta_send_mail(apmd_t) -') - -optional_policy(` - nscd_socket_use(apmd_t) -') - -optional_policy(` - pcmcia_domtrans_cardmgr(apmd_t) - pcmcia_domtrans_cardctl(apmd_t) -') - -optional_policy(` - seutil_sigchld_newrole(apmd_t) -') - -optional_policy(` - udev_read_db(apmd_t) - udev_read_state(apmd_t) #necessary? -') - -optional_policy(` - unconfined_domain(apmd_t) -') - -optional_policy(` - vbetool_domtrans(apmd_t) -') - -# cjp: related to sleep/resume (?) -optional_policy(` - xserver_domtrans(apmd_t) -') diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc deleted file mode 100644 index a86a6c717..000000000 --- a/policy/modules/services/arpwatch.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) - -# -# /var -# -/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) -/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if deleted file mode 100644 index c804110ac..000000000 --- a/policy/modules/services/arpwatch.if +++ /dev/null @@ -1,156 +0,0 @@ -## Ethernet activity monitor. - -######################################## -## -## Execute arpwatch server in the arpwatch domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`arpwatch_initrc_domtrans',` - gen_require(` - type arpwatch_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) -') - -######################################## -## -## Search arpwatch's data file directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_search_data',` - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - allow $1 arpwatch_data_t:dir search_dir_perms; -') - -######################################## -## -## Create arpwatch data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_manage_data_files',` - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) -') - -######################################## -## -## Read and write arpwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_rw_tmp_files',` - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file rw_file_perms; -') - -######################################## -## -## Read and write arpwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`arpwatch_manage_tmp_files',` - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file manage_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## arpwatch packet sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`arpwatch_dontaudit_rw_packet_sockets',` - gen_require(` - type arpwatch_t; - ') - - dontaudit $1 arpwatch_t:packet_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an arpwatch environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the arpwatch domain. -## -## -## -# -interface(`arpwatch_admin',` - gen_require(` - type arpwatch_t, arpwatch_tmp_t; - type arpwatch_data_t, arpwatch_var_run_t; - type arpwatch_initrc_exec_t; - ') - - allow $1 arpwatch_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, arpwatch_t) - - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, arpwatch_tmp_t) - - files_list_var($1) - admin_pattern($1, arpwatch_data_t) - - files_list_pids($1) - admin_pattern($1, arpwatch_var_run_t) -') diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te deleted file mode 100644 index 804135f93..000000000 --- a/policy/modules/services/arpwatch.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(arpwatch, 1.10.0) - -######################################## -# -# Declarations -# - -type arpwatch_t; -type arpwatch_exec_t; -init_daemon_domain(arpwatch_t, arpwatch_exec_t) - -type arpwatch_data_t; -files_type(arpwatch_data_t) - -type arpwatch_initrc_exec_t; -init_script_file(arpwatch_initrc_exec_t) - -type arpwatch_tmp_t; -files_tmp_file(arpwatch_tmp_t) - -type arpwatch_var_run_t; -files_pid_file(arpwatch_var_run_t) - -######################################## -# -# Local policy -# -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; -dontaudit arpwatch_t self:capability sys_tty_config; -allow arpwatch_t self:process signal_perms; -allow arpwatch_t self:unix_dgram_socket create_socket_perms; -allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; -allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; -allow arpwatch_t self:udp_socket create_socket_perms; -allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t self:socket create_socket_perms; - -manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) - -manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) -manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) -files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) - -manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) -files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) - -kernel_read_network_state(arpwatch_t) -kernel_read_kernel_sysctls(arpwatch_t) -kernel_list_proc(arpwatch_t) -kernel_read_proc_symlinks(arpwatch_t) -kernel_request_load_module(arpwatch_t) - -corenet_all_recvfrom_unlabeled(arpwatch_t) -corenet_all_recvfrom_netlabel(arpwatch_t) -corenet_tcp_sendrecv_generic_if(arpwatch_t) -corenet_udp_sendrecv_generic_if(arpwatch_t) -corenet_raw_sendrecv_generic_if(arpwatch_t) -corenet_tcp_sendrecv_generic_node(arpwatch_t) -corenet_udp_sendrecv_generic_node(arpwatch_t) -corenet_raw_sendrecv_generic_node(arpwatch_t) -corenet_tcp_sendrecv_all_ports(arpwatch_t) -corenet_udp_sendrecv_all_ports(arpwatch_t) - -dev_read_sysfs(arpwatch_t) -dev_read_usbmon_dev(arpwatch_t) -dev_rw_generic_usb_dev(arpwatch_t) - -fs_getattr_all_fs(arpwatch_t) -fs_search_auto_mountpoints(arpwatch_t) - -corecmd_read_bin_symlinks(arpwatch_t) - -domain_use_interactive_fds(arpwatch_t) - -files_read_etc_files(arpwatch_t) -files_read_usr_files(arpwatch_t) -files_search_var_lib(arpwatch_t) - -auth_use_nsswitch(arpwatch_t) - -logging_send_syslog_msg(arpwatch_t) - -miscfiles_read_localization(arpwatch_t) - -userdom_dontaudit_search_user_home_dirs(arpwatch_t) -userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) - -mta_send_mail(arpwatch_t) - -optional_policy(` - seutil_sigchld_newrole(arpwatch_t) -') - -optional_policy(` - udev_read_db(arpwatch_t) -') diff --git a/policy/modules/services/asterisk.fc b/policy/modules/services/asterisk.fc deleted file mode 100644 index b4889d404..000000000 --- a/policy/modules/services/asterisk.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) -/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) - -/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) - -/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0) -/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) -/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) -/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if deleted file mode 100644 index 8b8143ef9..000000000 --- a/policy/modules/services/asterisk.if +++ /dev/null @@ -1,92 +0,0 @@ -## Asterisk IP telephony server - -###################################### -## -## Execute asterisk in the asterisk domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`asterisk_domtrans',` - gen_require(` - type asterisk_t, asterisk_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, asterisk_exec_t, asterisk_t) -') - -##################################### -## -## Connect to asterisk over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`asterisk_stream_connect',` - gen_require(` - type asterisk_t, asterisk_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -') - -######################################## -## -## All of the rules required to administrate -## an asterisk environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the asterisk domain. -## -## -## -# -interface(`asterisk_admin',` - gen_require(` - type asterisk_t, asterisk_var_run_t, asterisk_spool_t; - type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; - type asterisk_var_lib_t; - type asterisk_initrc_exec_t; - ') - - allow $1 asterisk_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, asterisk_t) - - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, asterisk_tmp_t) - - files_list_etc($1) - admin_pattern($1, asterisk_etc_t) - - logging_list_logs($1) - admin_pattern($1, asterisk_log_t) - - files_list_spool($1) - admin_pattern($1, asterisk_spool_t) - - files_list_var_lib($1) - admin_pattern($1, asterisk_var_lib_t) - - files_list_pids($1) - admin_pattern($1, asterisk_var_run_t) -') diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te deleted file mode 100644 index b3b017689..000000000 --- a/policy/modules/services/asterisk.te +++ /dev/null @@ -1,170 +0,0 @@ -policy_module(asterisk, 1.9.0) - -######################################## -# -# Declarations -# - -type asterisk_t; -type asterisk_exec_t; -init_daemon_domain(asterisk_t, asterisk_exec_t) - -type asterisk_etc_t; -files_config_file(asterisk_etc_t) - -type asterisk_initrc_exec_t; -init_script_file(asterisk_initrc_exec_t) - -type asterisk_log_t; -logging_log_file(asterisk_log_t) - -type asterisk_spool_t; -files_type(asterisk_spool_t) - -type asterisk_tmp_t; -files_tmp_file(asterisk_tmp_t) - -type asterisk_tmpfs_t; -files_tmpfs_file(asterisk_tmpfs_t) - -type asterisk_var_lib_t; -files_type(asterisk_var_lib_t) - -type asterisk_var_run_t; -files_pid_file(asterisk_var_run_t) - -######################################## -# -# Local policy -# - -# dac_override for /var/run/asterisk -allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin }; -dontaudit asterisk_t self:capability sys_tty_config; -allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; -allow asterisk_t self:fifo_file rw_fifo_file_perms; -allow asterisk_t self:sem create_sem_perms; -allow asterisk_t self:shm create_shm_perms; -allow asterisk_t self:unix_stream_socket connectto; -allow asterisk_t self:tcp_socket create_stream_socket_perms; -allow asterisk_t self:udp_socket create_socket_perms; - -allow asterisk_t asterisk_etc_t:dir list_dir_perms; -read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) -read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) -files_search_etc(asterisk_t) - -can_exec(asterisk_t, asterisk_exec_t) - -manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) -logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir }) - -manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) -manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) -manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) - -manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir }) - -manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t) -fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) -files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) - -manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) - -kernel_read_system_state(asterisk_t) -kernel_read_kernel_sysctls(asterisk_t) -kernel_request_load_module(asterisk_t) - -corecmd_exec_bin(asterisk_t) -corecmd_exec_shell(asterisk_t) - -corenet_all_recvfrom_unlabeled(asterisk_t) -corenet_all_recvfrom_netlabel(asterisk_t) -corenet_tcp_sendrecv_generic_if(asterisk_t) -corenet_udp_sendrecv_generic_if(asterisk_t) -corenet_tcp_sendrecv_generic_node(asterisk_t) -corenet_udp_sendrecv_generic_node(asterisk_t) -corenet_tcp_sendrecv_all_ports(asterisk_t) -corenet_udp_sendrecv_all_ports(asterisk_t) -corenet_tcp_bind_generic_node(asterisk_t) -corenet_udp_bind_generic_node(asterisk_t) -corenet_tcp_bind_asterisk_port(asterisk_t) -corenet_tcp_bind_sip_port(asterisk_t) -corenet_udp_bind_asterisk_port(asterisk_t) -corenet_udp_bind_sip_port(asterisk_t) -corenet_sendrecv_asterisk_server_packets(asterisk_t) -# for VOIP voice channels. -corenet_tcp_bind_generic_port(asterisk_t) -corenet_udp_bind_generic_port(asterisk_t) -corenet_dontaudit_udp_bind_all_ports(asterisk_t) -corenet_sendrecv_generic_server_packets(asterisk_t) -corenet_tcp_connect_postgresql_port(asterisk_t) -corenet_tcp_connect_snmp_port(asterisk_t) -corenet_tcp_connect_sip_port(asterisk_t) - -dev_rw_generic_usb_dev(asterisk_t) -dev_read_sysfs(asterisk_t) -dev_read_sound(asterisk_t) -dev_write_sound(asterisk_t) -dev_read_urand(asterisk_t) - -domain_use_interactive_fds(asterisk_t) - -files_read_etc_files(asterisk_t) -files_search_spool(asterisk_t) -# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm -# are labeled usr_t -files_read_usr_files(asterisk_t) - -fs_getattr_all_fs(asterisk_t) -fs_list_inotifyfs(asterisk_t) -fs_read_anon_inodefs_files(asterisk_t) -fs_search_auto_mountpoints(asterisk_t) - -auth_use_nsswitch(asterisk_t) - -logging_send_syslog_msg(asterisk_t) - -miscfiles_read_localization(asterisk_t) - -userdom_dontaudit_use_unpriv_user_fds(asterisk_t) -userdom_dontaudit_search_user_home_dirs(asterisk_t) - -optional_policy(` - mysql_stream_connect(asterisk_t) -') - -optional_policy(` - mta_send_mail(asterisk_t) -') - -optional_policy(` - postfix_domtrans_postdrop(asterisk_t) -') - -optional_policy(` - postgresql_stream_connect(asterisk_t) -') - -optional_policy(` - seutil_sigchld_newrole(asterisk_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(asterisk_t) - snmp_stream_connect(asterisk_t) -') - -optional_policy(` - udev_read_db(asterisk_t) -') diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc deleted file mode 100644 index f16ab6817..000000000 --- a/policy/modules/services/automount.fc +++ /dev/null @@ -1,16 +0,0 @@ -# -# /etc -# -/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) -/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) - -# -# /var -# - -/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if deleted file mode 100644 index d80a16b87..000000000 --- a/policy/modules/services/automount.if +++ /dev/null @@ -1,168 +0,0 @@ -## Filesystem automounter service. - -######################################## -## -## Execute automount in the automount domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`automount_domtrans',` - gen_require(` - type automount_t, automount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, automount_exec_t, automount_t) -') - -######################################## -## -## Send automount a signal -## -## -## -## Domain allowed access. -## -## -# -# -interface(`automount_signal',` - gen_require(` - type automount_t; - ') - - allow $1 automount_t:process signal; -') - -######################################## -## -## Execute automount in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`automount_exec_config',` - refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') - files_exec_etc_files($1) -') - -######################################## -## -## Allow the domain to read state files in /proc. -## -## -## -## Domain to allow access. -## -## -# -interface(`automount_read_state',` - gen_require(` - type automount_t; - ') - - read_files_pattern($1, automount_t, automount_t) -') - -######################################## -## -## Do not audit attempts to file descriptors for automount. -## -## -## -## Domain to not audit. -## -## -# -interface(`automount_dontaudit_use_fds',` - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fd use; -') - -######################################## -## -## Do not audit attempts to write automount daemon unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`automount_dontaudit_write_pipes',` - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fifo_file write; -') - -######################################## -## -## Do not audit attempts to get the attributes -## of automount temporary directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`automount_dontaudit_getattr_tmp_dirs',` - gen_require(` - type automount_tmp_t; - ') - - dontaudit $1 automount_tmp_t:dir getattr; -') - -######################################## -## -## All of the rules required to administrate -## an automount environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the automount domain. -## -## -## -# -interface(`automount_admin',` - gen_require(` - type automount_t, automount_lock_t, automount_tmp_t; - type automount_var_run_t, automount_initrc_exec_t; - ') - - allow $1 automount_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, automount_t) - - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, automount_lock_t) - - files_list_tmp($1) - admin_pattern($1, automount_tmp_t) - - files_list_pids($1) - admin_pattern($1, automount_var_run_t) -') diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te deleted file mode 100644 index 39799dbae..000000000 --- a/policy/modules/services/automount.te +++ /dev/null @@ -1,182 +0,0 @@ -policy_module(automount, 1.13.0) - -######################################## -# -# Declarations -# - -type automount_t; -type automount_exec_t; -init_daemon_domain(automount_t, automount_exec_t) - -type automount_initrc_exec_t; -init_script_file(automount_initrc_exec_t) - -type automount_var_run_t; -files_pid_file(automount_var_run_t) - -type automount_lock_t; -files_lock_file(automount_lock_t) - -type automount_tmp_t; -files_tmp_file(automount_tmp_t) -files_mountpoint(automount_tmp_t) - -######################################## -# -# Local policy -# - -allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin }; -dontaudit automount_t self:capability sys_tty_config; -allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; -allow automount_t self:fifo_file rw_fifo_file_perms; -allow automount_t self:unix_stream_socket create_socket_perms; -allow automount_t self:unix_dgram_socket create_socket_perms; -allow automount_t self:tcp_socket create_stream_socket_perms; -allow automount_t self:udp_socket create_socket_perms; -allow automount_t self:rawip_socket create_socket_perms; - -can_exec(automount_t, automount_exec_t) - -allow automount_t automount_lock_t:file manage_file_perms; -files_lock_filetrans(automount_t, automount_lock_t, file) - -manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t) -manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t) -files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) - -# Allow automount to create and delete directories in / and /home -allow automount_t automount_tmp_t:dir manage_dir_perms; -files_home_filetrans(automount_t, automount_tmp_t, dir) -files_root_filetrans(automount_t, automount_tmp_t, dir) - -manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) - -kernel_read_kernel_sysctls(automount_t) -kernel_read_irq_sysctls(automount_t) -kernel_read_fs_sysctls(automount_t) -kernel_read_proc_symlinks(automount_t) -kernel_read_system_state(automount_t) -kernel_read_network_state(automount_t) -kernel_list_proc(automount_t) -kernel_dontaudit_search_xen_state(automount_t) - -files_search_boot(automount_t) -# Automount is slowly adding all mount functionality internally -files_search_all(automount_t) -files_mounton_all_mountpoints(automount_t) -files_mount_all_file_type_fs(automount_t) -files_unmount_all_file_type_fs(automount_t) -files_manage_non_security_dirs(automount_t) - -fs_mount_all_fs(automount_t) -fs_unmount_all_fs(automount_t) -fs_search_all(automount_t) - -corecmd_exec_bin(automount_t) -corecmd_exec_shell(automount_t) - -corenet_all_recvfrom_unlabeled(automount_t) -corenet_all_recvfrom_netlabel(automount_t) -corenet_tcp_sendrecv_generic_if(automount_t) -corenet_udp_sendrecv_generic_if(automount_t) -corenet_tcp_sendrecv_generic_node(automount_t) -corenet_udp_sendrecv_generic_node(automount_t) -corenet_tcp_sendrecv_all_ports(automount_t) -corenet_udp_sendrecv_all_ports(automount_t) -corenet_tcp_bind_generic_node(automount_t) -corenet_udp_bind_generic_node(automount_t) -corenet_tcp_connect_portmap_port(automount_t) -corenet_tcp_connect_all_ports(automount_t) -corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t) -corenet_sendrecv_all_client_packets(automount_t) -# Automount execs showmount when you browse /net. This is required until -# Someone writes a showmount policy -corenet_tcp_bind_reserved_port(automount_t) -corenet_tcp_bind_all_rpc_ports(automount_t) -corenet_udp_bind_reserved_port(automount_t) -corenet_udp_bind_all_rpc_ports(automount_t) - -dev_read_sysfs(automount_t) -dev_rw_autofs(automount_t) -# for SSP -dev_read_rand(automount_t) -dev_read_urand(automount_t) - -domain_use_interactive_fds(automount_t) -domain_dontaudit_read_all_domains_state(automount_t) - -files_dontaudit_write_var_dirs(automount_t) -files_getattr_all_dirs(automount_t) -files_list_mnt(automount_t) -files_getattr_home_dir(automount_t) -files_read_etc_files(automount_t) -files_read_etc_runtime_files(automount_t) -# for if the mount point is not labelled -files_getattr_isid_type_dirs(automount_t) -files_getattr_default_dirs(automount_t) -# because config files can be shell scripts -files_exec_etc_files(automount_t) -files_mounton_mnt(automount_t) - -fs_getattr_all_fs(automount_t) -fs_getattr_all_dirs(automount_t) -fs_search_auto_mountpoints(automount_t) -fs_manage_auto_mountpoints(automount_t) -fs_unmount_autofs(automount_t) -fs_mount_autofs(automount_t) -fs_manage_autofs_symlinks(automount_t) -fs_read_nfs_files(automount_t) - -storage_rw_fuse(automount_t) - -term_dontaudit_getattr_pty_dirs(automount_t) - -auth_use_nsswitch(automount_t) - -logging_send_syslog_msg(automount_t) -logging_search_logs(automount_t) - -miscfiles_read_localization(automount_t) -miscfiles_read_generic_certs(automount_t) - -# Run mount in the mount_t domain. -mount_domtrans(automount_t) -mount_signal(automount_t) - -userdom_dontaudit_use_unpriv_user_fds(automount_t) -userdom_dontaudit_search_user_home_dirs(automount_t) - -optional_policy(` - bind_search_cache(automount_t) -') - -optional_policy(` - fstools_domtrans(automount_t) -') - -optional_policy(` - kerberos_keytab_template(automount, automount_t) - kerberos_read_config(automount_t) - kerberos_dontaudit_write_config(automount_t) -') - -optional_policy(` - rpc_search_nfs_state_data(automount_t) -') - -optional_policy(` - samba_read_config(automount_t) - samba_manage_var_files(automount_t) -') - -optional_policy(` - seutil_sigchld_newrole(automount_t) -') - -optional_policy(` - udev_read_db(automount_t) -') diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc deleted file mode 100644 index 7e365494e..000000000 --- a/policy/modules/services/avahi.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) - -/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) -/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) -/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) - -/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) - -/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if deleted file mode 100644 index 61c74bcc4..000000000 --- a/policy/modules/services/avahi.if +++ /dev/null @@ -1,166 +0,0 @@ -## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture - -######################################## -## -## Execute avahi server in the avahi domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`avahi_domtrans',` - gen_require(` - type avahi_exec_t, avahi_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, avahi_exec_t, avahi_t) -') - -######################################## -## -## Send avahi a signal -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_signal',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signal; -') - -######################################## -## -## Send avahi a kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_kill',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process sigkill; -') - -######################################## -## -## Send avahi a signull -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_signull',` - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signull; -') - -######################################## -## -## Send and receive messages from -## avahi over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_dbus_chat',` - gen_require(` - type avahi_t; - class dbus send_msg; - ') - - allow $1 avahi_t:dbus send_msg; - allow avahi_t $1:dbus send_msg; -') - -######################################## -## -## Connect to avahi using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`avahi_stream_connect',` - gen_require(` - type avahi_t, avahi_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t) -') - -######################################## -## -## Do not audit attempts to search the avahi pid directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`avahi_dontaudit_search_pid',` - gen_require(` - type avahi_var_run_t; - ') - - dontaudit $1 avahi_var_run_t:dir search_dir_perms; -') - -######################################## -## -## All of the rules required to administrate -## an avahi environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the avahi domain. -## -## -## -# -interface(`avahi_admin',` - gen_require(` - type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; - ') - - allow $1 avahi_t:process { ptrace signal_perms }; - ps_process_pattern($1, avahi_t) - - init_labeled_script_domtrans($1, avahi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, avahi_var_run_t) -') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te deleted file mode 100644 index a7a0e71a3..000000000 --- a/policy/modules/services/avahi.te +++ /dev/null @@ -1,112 +0,0 @@ -policy_module(avahi, 1.13.0) - -######################################## -# -# Declarations -# - -type avahi_t; -type avahi_exec_t; -init_daemon_domain(avahi_t, avahi_exec_t) - -type avahi_initrc_exec_t; -init_script_file(avahi_initrc_exec_t) - -type avahi_var_lib_t; -files_pid_file(avahi_var_lib_t) - -type avahi_var_run_t; -files_pid_file(avahi_var_run_t) - -######################################## -# -# Local policy -# - -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; -dontaudit avahi_t self:capability sys_tty_config; -allow avahi_t self:process { setrlimit signal_perms getcap setcap }; -allow avahi_t self:fifo_file rw_fifo_file_perms; -allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow avahi_t self:unix_dgram_socket create_socket_perms; -allow avahi_t self:tcp_socket create_stream_socket_perms; -allow avahi_t self:udp_socket create_socket_perms; -allow avahi_t self:packet_socket create_socket_perms; - -manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) - -manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -allow avahi_t avahi_var_run_t:dir setattr_dir_perms; -files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) - -kernel_read_system_state(avahi_t) -kernel_read_kernel_sysctls(avahi_t) -kernel_read_network_state(avahi_t) - -corecmd_exec_bin(avahi_t) -corecmd_exec_shell(avahi_t) - -corenet_all_recvfrom_unlabeled(avahi_t) -corenet_all_recvfrom_netlabel(avahi_t) -corenet_tcp_sendrecv_generic_if(avahi_t) -corenet_udp_sendrecv_generic_if(avahi_t) -corenet_tcp_sendrecv_generic_node(avahi_t) -corenet_udp_sendrecv_generic_node(avahi_t) -corenet_tcp_sendrecv_all_ports(avahi_t) -corenet_udp_sendrecv_all_ports(avahi_t) -corenet_tcp_bind_generic_node(avahi_t) -corenet_udp_bind_generic_node(avahi_t) -corenet_tcp_bind_howl_port(avahi_t) -corenet_udp_bind_howl_port(avahi_t) -corenet_send_howl_client_packets(avahi_t) -corenet_receive_howl_server_packets(avahi_t) - -dev_read_sysfs(avahi_t) -dev_read_urand(avahi_t) - -fs_getattr_all_fs(avahi_t) -fs_search_auto_mountpoints(avahi_t) -fs_list_inotifyfs(avahi_t) - -domain_use_interactive_fds(avahi_t) - -files_read_etc_files(avahi_t) -files_read_etc_runtime_files(avahi_t) -files_read_usr_files(avahi_t) - -auth_use_nsswitch(avahi_t) - -init_signal_script(avahi_t) -init_signull_script(avahi_t) - -logging_send_syslog_msg(avahi_t) - -miscfiles_read_localization(avahi_t) -miscfiles_read_generic_certs(avahi_t) - -sysnet_domtrans_ifconfig(avahi_t) -sysnet_manage_config(avahi_t) -sysnet_etc_filetrans_config(avahi_t) - -userdom_dontaudit_use_unpriv_user_fds(avahi_t) -userdom_dontaudit_search_user_home_dirs(avahi_t) - -optional_policy(` - dbus_system_domain(avahi_t, avahi_exec_t) - dbus_system_bus_client(avahi_t) - dbus_connect_system_bus(avahi_t) - - init_dbus_chat_script(avahi_t) -') - -optional_policy(` - seutil_sigchld_newrole(avahi_t) -') - -optional_policy(` - udev_read_db(avahi_t) -') diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc deleted file mode 100644 index 59aa54f91..000000000 --- a/policy/modules/services/bind.fc +++ /dev/null @@ -1,63 +0,0 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - -/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - -/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) -/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) - -/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - -/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - -ifdef(`distro_debian',` -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -') - -ifdef(`distro_gentoo',` -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -') - -ifdef(`distro_redhat',` -/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/proc(/.*)? <> -/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) -/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) -/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -') diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if deleted file mode 100644 index 44a1e3d16..000000000 --- a/policy/modules/services/bind.if +++ /dev/null @@ -1,399 +0,0 @@ -## Berkeley internet name domain DNS server. - -######################################## -## -## Execute bind server in the bind domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bind_initrc_domtrans',` - gen_require(` - type named_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, named_initrc_exec_t) -') - -######################################## -## -## Execute ndc in the ndc domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bind_domtrans_ndc',` - gen_require(` - type ndc_t, ndc_exec_t; - ') - - domtrans_pattern($1, ndc_exec_t, ndc_t) -') - -######################################## -## -## Send generic signals to BIND. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_signal',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process signal; -') - -######################################## -## -## Send null sigals to BIND. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_signull',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process signull; -') - -######################################## -## -## Send BIND the kill signal -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_kill',` - gen_require(` - type named_t; - ') - - allow $1 named_t:process sigkill; -') - -######################################## -## -## Execute ndc in the ndc domain, and -## allow the specified role the ndc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`bind_run_ndc',` - gen_require(` - type ndc_t; - ') - - bind_domtrans_ndc($1) - role $2 types ndc_t; -') - -######################################## -## -## Execute bind in the named domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bind_domtrans',` - gen_require(` - type named_t, named_exec_t; - ') - - domtrans_pattern($1, named_exec_t, named_t) -') - -######################################## -## -## Read DNSSEC keys. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_read_dnssec_keys',` - gen_require(` - type named_conf_t, named_zone_t, dnssec_t; - ') - - read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) -') - -######################################## -## -## Read BIND named configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_read_config',` - gen_require(` - type named_conf_t; - ') - - read_files_pattern($1, named_conf_t, named_conf_t) -') - -######################################## -## -## Write BIND named configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_write_config',` - gen_require(` - type named_conf_t; - ') - - write_files_pattern($1, named_conf_t, named_conf_t) - allow $1 named_conf_t:file setattr; -') - -######################################## -## -## Create, read, write, and delete -## BIND configuration directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_config_dirs',` - gen_require(` - type named_conf_t; - ') - - manage_dirs_pattern($1, named_conf_t, named_conf_t) -') - -######################################## -## -## Search the BIND cache directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_search_cache',` - gen_require(` - type named_conf_t, named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_conf_t:dir search_dir_perms; - allow $1 named_zone_t:dir search_dir_perms; - allow $1 named_cache_t:dir search_dir_perms; -') - -######################################## -## -## Create, read, write, and delete -## BIND cache files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_cache',` - gen_require(` - type named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_zone_t:dir search_dir_perms; - manage_files_pattern($1, named_cache_t, named_cache_t) - manage_lnk_files_pattern($1, named_cache_t, named_cache_t) -') - -######################################## -## -## Set the attributes of the BIND pid directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_setattr_pid_dirs',` - gen_require(` - type named_var_run_t; - ') - - allow $1 named_var_run_t:dir setattr; -') - -######################################## -## -## Set the attributes of the BIND zone directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_setattr_zone_dirs',` - gen_require(` - type named_zone_t; - ') - - allow $1 named_zone_t:dir setattr; -') - -######################################## -## -## Read BIND zone files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_read_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - read_files_pattern($1, named_zone_t, named_zone_t) -') - -######################################## -## -## Manage BIND zone files. -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_manage_zone',` - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - manage_files_pattern($1, named_zone_t, named_zone_t) -') - -######################################## -## -## Send and receive datagrams to and from named. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`bind_udp_chat_named',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an bind environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bind domain. -## -## -## -# -interface(`bind_admin',` - gen_require(` - type named_t, named_tmp_t, named_log_t; - type named_conf_t, named_var_lib_t, named_var_run_t; - type named_cache_t, named_zone_t; - type dnssec_t, ndc_t; - type named_initrc_exec_t; - ') - - allow $1 named_t:process { ptrace signal_perms }; - ps_process_pattern($1, named_t) - - allow $1 ndc_t:process { ptrace signal_perms }; - ps_process_pattern($1, ndc_t) - - bind_run_ndc($1, $2) - - init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, named_tmp_t) - - logging_list_logs($1) - admin_pattern($1, named_log_t) - - files_list_etc($1) - admin_pattern($1, named_conf_t) - - admin_pattern($1, named_cache_t) - admin_pattern($1, named_zone_t) - admin_pattern($1, dnssec_t) - - files_list_var_lib($1) - admin_pattern($1, named_var_lib_t) - - files_list_pids($1) - admin_pattern($1, named_var_run_t) -') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te deleted file mode 100644 index 4deca04f0..000000000 --- a/policy/modules/services/bind.te +++ /dev/null @@ -1,260 +0,0 @@ -policy_module(bind, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow BIND to write the master zone files. -## Generally this is used for dynamic DNS or zone transfers. -##

-## -gen_tunable(named_write_master_zones, false) - -# for DNSSEC key files -type dnssec_t; -files_security_file(dnssec_t) - -type named_t; -type named_exec_t; -init_daemon_domain(named_t, named_exec_t) -role system_r types named_t; - -type named_checkconf_exec_t; -init_system_domain(named_t, named_checkconf_exec_t) - -# A type for configuration files of named. -type named_conf_t; -files_type(named_conf_t) -files_mountpoint(named_conf_t) - -# for secondary zone files -type named_cache_t; -files_type(named_cache_t) - -type named_initrc_exec_t; -init_script_file(named_initrc_exec_t) - -type named_log_t; -logging_log_file(named_log_t) - -type named_tmp_t; -files_tmp_file(named_tmp_t) - -type named_var_run_t; -files_pid_file(named_var_run_t) - -# for primary zone files -type named_zone_t; -files_type(named_zone_t) - -type ndc_t; -type ndc_exec_t; -init_system_domain(ndc_t, ndc_exec_t) -role system_r types ndc_t; - -######################################## -# -# Named local policy -# - -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -dontaudit named_t self:capability sys_tty_config; -allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; -allow named_t self:fifo_file rw_fifo_file_perms; -allow named_t self:unix_stream_socket create_stream_socket_perms; -allow named_t self:unix_dgram_socket create_socket_perms; -allow named_t self:tcp_socket create_stream_socket_perms; -allow named_t self:udp_socket create_socket_perms; - -allow named_t dnssec_t:file read_file_perms; - -# read configuration -allow named_t named_conf_t:dir list_dir_perms; -read_files_pattern(named_t, named_conf_t, named_conf_t) -read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) - -# write cache for secondary zones -manage_files_pattern(named_t, named_cache_t, named_cache_t) -manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) - -can_exec(named_t, named_exec_t) - -manage_files_pattern(named_t, named_log_t, named_log_t) -logging_log_filetrans(named_t, named_log_t, { file dir }) - -manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) -manage_files_pattern(named_t, named_tmp_t, named_tmp_t) -files_tmp_filetrans(named_t, named_tmp_t, { file dir }) - -manage_files_pattern(named_t, named_var_run_t, named_var_run_t) -manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) -files_pid_filetrans(named_t, named_var_run_t, { file sock_file }) - -# read zone files -allow named_t named_zone_t:dir list_dir_perms; -read_files_pattern(named_t, named_zone_t, named_zone_t) -read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) - -kernel_read_kernel_sysctls(named_t) -kernel_read_system_state(named_t) -kernel_read_network_state(named_t) - -corecmd_search_bin(named_t) - -corenet_all_recvfrom_unlabeled(named_t) -corenet_all_recvfrom_netlabel(named_t) -corenet_tcp_sendrecv_generic_if(named_t) -corenet_udp_sendrecv_generic_if(named_t) -corenet_tcp_sendrecv_generic_node(named_t) -corenet_udp_sendrecv_generic_node(named_t) -corenet_tcp_sendrecv_all_ports(named_t) -corenet_udp_sendrecv_all_ports(named_t) -corenet_tcp_bind_generic_node(named_t) -corenet_udp_bind_generic_node(named_t) -corenet_tcp_bind_dns_port(named_t) -corenet_udp_bind_dns_port(named_t) -corenet_tcp_bind_rndc_port(named_t) -corenet_tcp_connect_all_ports(named_t) -corenet_sendrecv_dns_server_packets(named_t) -corenet_sendrecv_dns_client_packets(named_t) -corenet_sendrecv_rndc_server_packets(named_t) -corenet_sendrecv_rndc_client_packets(named_t) -corenet_dontaudit_udp_bind_all_reserved_ports(named_t) -corenet_udp_bind_all_unreserved_ports(named_t) - -dev_read_sysfs(named_t) -dev_read_rand(named_t) -dev_read_urand(named_t) - -domain_use_interactive_fds(named_t) - -files_read_etc_files(named_t) -files_read_etc_runtime_files(named_t) - -fs_getattr_all_fs(named_t) -fs_search_auto_mountpoints(named_t) - -auth_use_nsswitch(named_t) - -logging_send_syslog_msg(named_t) - -miscfiles_read_localization(named_t) -miscfiles_read_generic_certs(named_t) - -userdom_dontaudit_use_unpriv_user_fds(named_t) -userdom_dontaudit_search_user_home_dirs(named_t) - -tunable_policy(`named_write_master_zones',` - manage_dirs_pattern(named_t, named_zone_t, named_zone_t) - manage_files_pattern(named_t, named_zone_t, named_zone_t) - manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) -') - -optional_policy(` - init_dbus_chat_script(named_t) - - sysnet_dbus_chat_dhcpc(named_t) - - dbus_system_bus_client(named_t) - dbus_connect_system_bus(named_t) - - optional_policy(` - networkmanager_dbus_chat(named_t) - ') -') - -optional_policy(` - kerberos_keytab_template(named, named_t) -') - -optional_policy(` - # this seems like fds that arent being - # closed. these should probably be - # dontaudits instead. - networkmanager_rw_udp_sockets(named_t) - networkmanager_rw_packet_sockets(named_t) - networkmanager_rw_routing_sockets(named_t) -') - -optional_policy(` - seutil_sigchld_newrole(named_t) -') - -optional_policy(` - udev_read_db(named_t) -') - -######################################## -# -# NDC local policy -# - -# cjp: why net_admin?! -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t self:process { fork signal_perms }; -allow ndc_t self:fifo_file rw_fifo_file_perms; -allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; -allow ndc_t self:tcp_socket create_socket_perms; -allow ndc_t self:netlink_route_socket r_netlink_socket_perms; - -allow ndc_t dnssec_t:file read_file_perms; -allow ndc_t dnssec_t:lnk_file { getattr read }; - -stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) - -allow ndc_t named_conf_t:file read_file_perms; -allow ndc_t named_conf_t:lnk_file { getattr read }; - -allow ndc_t named_zone_t:dir search_dir_perms; - -kernel_read_kernel_sysctls(ndc_t) - -corenet_all_recvfrom_unlabeled(ndc_t) -corenet_all_recvfrom_netlabel(ndc_t) -corenet_tcp_sendrecv_generic_if(ndc_t) -corenet_tcp_sendrecv_generic_node(ndc_t) -corenet_tcp_sendrecv_all_ports(ndc_t) -corenet_tcp_bind_generic_node(ndc_t) -corenet_tcp_connect_rndc_port(ndc_t) -corenet_sendrecv_rndc_client_packets(ndc_t) - -domain_use_interactive_fds(ndc_t) - -files_read_etc_files(ndc_t) -files_search_pids(ndc_t) - -fs_getattr_xattr_fs(ndc_t) - -init_use_fds(ndc_t) -init_use_script_ptys(ndc_t) - -logging_send_syslog_msg(ndc_t) - -miscfiles_read_localization(ndc_t) - -sysnet_read_config(ndc_t) -sysnet_dns_name_resolve(ndc_t) - -userdom_use_user_terminals(ndc_t) - -term_dontaudit_use_console(ndc_t) - -# for /etc/rndc.key -ifdef(`distro_redhat',` - allow ndc_t named_conf_t:dir search; -') - -optional_policy(` - nis_use_ypbind(ndc_t) -') - -optional_policy(` - nscd_socket_use(ndc_t) -') - -optional_policy(` - ppp_dontaudit_use_fds(ndc_t) -') diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc deleted file mode 100644 index 0197980da..000000000 --- a/policy/modules/services/bitlbee.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) -/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) - -/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) - -/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if deleted file mode 100644 index de0bd6793..000000000 --- a/policy/modules/services/bitlbee.if +++ /dev/null @@ -1,59 +0,0 @@ -## Bitlbee service - -######################################## -## -## Read bitlbee configuration files -## -## -## -## Domain allowed accesss. -## -## -# -interface(`bitlbee_read_config',` - gen_require(` - type bitlbee_conf_t; - ') - - files_search_etc($1) - allow $1 bitlbee_conf_t:dir list_dir_perms; - allow $1 bitlbee_conf_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an bitlbee environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bitlbee domain. -## -## -## -# -interface(`bitlbee_admin',` - gen_require(` - type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; - type bitlbee_initrc_exec_t; - ') - - allow $1 bitlbee_t:process { ptrace signal_perms }; - ps_process_pattern($1, bitlbee_t) - - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, bitlbee_conf_t) - - files_list_var($1) - admin_pattern($1, bitlbee_var_t) -') diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te deleted file mode 100644 index f4e7ad3d2..000000000 --- a/policy/modules/services/bitlbee.te +++ /dev/null @@ -1,94 +0,0 @@ -policy_module(bitlbee, 1.4.0) - -######################################## -# -# Declarations -# - -type bitlbee_t; -type bitlbee_exec_t; -init_daemon_domain(bitlbee_t, bitlbee_exec_t) -inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) - -type bitlbee_conf_t; -files_config_file(bitlbee_conf_t) - -type bitlbee_initrc_exec_t; -init_script_file(bitlbee_initrc_exec_t) - -type bitlbee_tmp_t; -files_tmp_file(bitlbee_tmp_t) - -type bitlbee_var_t; -files_type(bitlbee_var_t) - -######################################## -# -# Local policy -# - -allow bitlbee_t self:capability { setgid setuid }; -allow bitlbee_t self:process signal; -allow bitlbee_t self:udp_socket create_socket_perms; -allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; -allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; -allow bitlbee_t self:fifo_file rw_fifo_file_perms; - -bitlbee_read_config(bitlbee_t) - -# tmp files -manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) - -# user account information is read and edited at runtime; give the usual -# r/w access to bitlbee_var_t -manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) -files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) - -kernel_read_system_state(bitlbee_t) - -corenet_all_recvfrom_unlabeled(bitlbee_t) -corenet_udp_sendrecv_generic_if(bitlbee_t) -corenet_udp_sendrecv_generic_node(bitlbee_t) -corenet_tcp_sendrecv_generic_if(bitlbee_t) -corenet_tcp_sendrecv_generic_node(bitlbee_t) -# Allow bitlbee to connect to jabber servers -corenet_tcp_connect_jabber_client_port(bitlbee_t) -corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) -# to AIM servers: -corenet_tcp_connect_aol_port(bitlbee_t) -corenet_tcp_sendrecv_aol_port(bitlbee_t) -# and to MMCC (Yahoo IM) servers: -corenet_tcp_connect_mmcc_port(bitlbee_t) -corenet_tcp_sendrecv_mmcc_port(bitlbee_t) -# and to MSNP (MSN Messenger) servers: -corenet_tcp_connect_msnp_port(bitlbee_t) -corenet_tcp_sendrecv_msnp_port(bitlbee_t) -# MSN can use passport auth, which is over http: -corenet_tcp_connect_http_port(bitlbee_t) -corenet_tcp_sendrecv_http_port(bitlbee_t) -corenet_tcp_connect_http_cache_port(bitlbee_t) -corenet_tcp_sendrecv_http_cache_port(bitlbee_t) - -dev_read_rand(bitlbee_t) -dev_read_urand(bitlbee_t) - -files_read_etc_files(bitlbee_t) -files_search_pids(bitlbee_t) -# grant read-only access to the user help files -files_read_usr_files(bitlbee_t) - -libs_legacy_use_shared_libs(bitlbee_t) - -auth_use_nsswitch(bitlbee_t) - -logging_send_syslog_msg(bitlbee_t) - -miscfiles_read_localization(bitlbee_t) - -sysnet_dns_name_resolve(bitlbee_t) - -optional_policy(` - # normally started from inetd using tcpwrappers, so use those entry points - tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) -') diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc deleted file mode 100644 index dc687e6d4..000000000 --- a/policy/modules/services/bluetooth.fc +++ /dev/null @@ -1,30 +0,0 @@ -# -# /etc -# -/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) -/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) -/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) -/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - -/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - -# -# /var -# -/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) - -/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) -/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if deleted file mode 100644 index 3e4543141..000000000 --- a/policy/modules/services/bluetooth.if +++ /dev/null @@ -1,228 +0,0 @@ -## Bluetooth tools and system services. - -######################################## -## -## Role access for bluetooth -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`bluetooth_role',` - gen_require(` - type bluetooth_helper_t, bluetooth_helper_exec_t; - type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t; - ') - - role $1 types bluetooth_helper_t; - - domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - - # allow ps to show cdrecord and allow the user to kill it - ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process signal; - - manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - - manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) - manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -') - -##################################### -## -## Connect to bluetooth over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`bluetooth_stream_connect',` - gen_require(` - type bluetooth_t, bluetooth_var_run_t; - ') - - files_search_pids($1) - allow $1 bluetooth_t:socket rw_socket_perms; - stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) -') - -######################################## -## -## Execute bluetooth in the bluetooth domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bluetooth_domtrans',` - gen_require(` - type bluetooth_t, bluetooth_exec_t; - ') - - domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) -') - -######################################## -## -## Read bluetooth daemon configuration. -## -## -## -## Domain allowed access. -## -## -# -interface(`bluetooth_read_config',` - gen_require(` - type bluetooth_conf_t; - ') - - allow $1 bluetooth_conf_t:file { getattr read ioctl }; -') - -######################################## -## -## Send and receive messages from -## bluetooth over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`bluetooth_dbus_chat',` - gen_require(` - type bluetooth_t; - class dbus send_msg; - ') - - allow $1 bluetooth_t:dbus send_msg; - allow bluetooth_t $1:dbus send_msg; -') - -######################################## -## -## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -# -interface(`bluetooth_domtrans_helper',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Execute bluetooth_helper in the bluetooth_helper domain, and -## allow the specified role the bluetooth_helper domain. (Deprecated) -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -## -## The type of the terminal allow the bluetooth_helper domain to use. -## -## -## -# -interface(`bluetooth_run_helper',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read bluetooth helper state files. -## -## -## -## Domain to not audit. -## -## -# -interface(`bluetooth_dontaudit_read_helper_state',` - gen_require(` - type bluetooth_helper_t; - ') - - dontaudit $1 bluetooth_helper_t:dir search; - dontaudit $1 bluetooth_helper_t:file { read getattr }; -') - -######################################## -## -## All of the rules required to administrate -## an bluetooth environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bluetooth domain. -## -## -## -# -interface(`bluetooth_admin',` - gen_require(` - type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; - type bluetooth_conf_t, bluetooth_conf_rw_t; - type bluetooth_initrc_exec_t; - ') - - allow $1 bluetooth_t:process { ptrace signal_perms }; - ps_process_pattern($1, bluetooth_t) - - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, bluetooth_tmp_t) - - files_list_var($1) - admin_pattern($1, bluetooth_lock_t) - - files_list_etc($1) - admin_pattern($1, bluetooth_conf_t) - admin_pattern($1, bluetooth_conf_rw_t) - - files_list_spool($1) - admin_pattern($1, bluetooth_spool_t) - - files_list_var_lib($1) - admin_pattern($1, bluetooth_var_lib_t) - - files_list_pids($1) - admin_pattern($1, bluetooth_var_run_t) -') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te deleted file mode 100644 index 215b86b78..000000000 --- a/policy/modules/services/bluetooth.te +++ /dev/null @@ -1,244 +0,0 @@ -policy_module(bluetooth, 3.3.0) - -######################################## -# -# Declarations -# -type bluetooth_t; -type bluetooth_exec_t; -init_daemon_domain(bluetooth_t, bluetooth_exec_t) - -type bluetooth_conf_t; -files_type(bluetooth_conf_t) - -type bluetooth_conf_rw_t; -files_type(bluetooth_conf_rw_t) - -type bluetooth_helper_t; -type bluetooth_helper_exec_t; -typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t }; -typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t }; -application_domain(bluetooth_helper_t, bluetooth_helper_exec_t) -ubac_constrained(bluetooth_helper_t) - -type bluetooth_helper_tmp_t; -typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t }; -typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t }; -files_tmp_file(bluetooth_helper_tmp_t) -ubac_constrained(bluetooth_helper_tmp_t) - -type bluetooth_helper_tmpfs_t; -typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t }; -typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t }; -files_tmpfs_file(bluetooth_helper_tmpfs_t) -ubac_constrained(bluetooth_helper_tmpfs_t) - -type bluetooth_initrc_exec_t; -init_script_file(bluetooth_initrc_exec_t) - -type bluetooth_lock_t; -files_lock_file(bluetooth_lock_t) - -type bluetooth_tmp_t; -files_tmp_file(bluetooth_tmp_t) - -type bluetooth_var_lib_t; -files_type(bluetooth_var_lib_t) - -type bluetooth_var_run_t; -files_pid_file(bluetooth_var_run_t) - -######################################## -# -# Bluetooth services local policy -# - -#sys_admin capability - redhat bug 573015 -allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; -dontaudit bluetooth_t self:capability sys_tty_config; -allow bluetooth_t self:process { getcap setcap getsched signal_perms }; -allow bluetooth_t self:fifo_file rw_fifo_file_perms; -allow bluetooth_t self:shm create_shm_perms; -allow bluetooth_t self:socket create_stream_socket_perms; -allow bluetooth_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow bluetooth_t self:tcp_socket create_stream_socket_perms; -allow bluetooth_t self:udp_socket create_socket_perms; -allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; - -read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) - -manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) -filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file }) - -can_exec(bluetooth_t, bluetooth_helper_exec_t) - -allow bluetooth_t bluetooth_lock_t:file manage_file_perms; -files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) - -manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir }) - -manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) - -manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(bluetooth_t) -kernel_read_system_state(bluetooth_t) -kernel_read_network_state(bluetooth_t) -kernel_request_load_module(bluetooth_t) -#search debugfs - redhat bug 548206 -kernel_search_debugfs(bluetooth_t) - -corenet_all_recvfrom_unlabeled(bluetooth_t) -corenet_all_recvfrom_netlabel(bluetooth_t) -corenet_tcp_sendrecv_generic_if(bluetooth_t) -corenet_udp_sendrecv_generic_if(bluetooth_t) -corenet_raw_sendrecv_generic_if(bluetooth_t) -corenet_tcp_sendrecv_generic_node(bluetooth_t) -corenet_udp_sendrecv_generic_node(bluetooth_t) -corenet_raw_sendrecv_generic_node(bluetooth_t) -corenet_tcp_sendrecv_all_ports(bluetooth_t) -corenet_udp_sendrecv_all_ports(bluetooth_t) - -dev_read_sysfs(bluetooth_t) -dev_rw_usbfs(bluetooth_t) -dev_rw_generic_usb_dev(bluetooth_t) -dev_read_urand(bluetooth_t) -dev_rw_input_dev(bluetooth_t) -dev_rw_wireless(bluetooth_t) - -fs_getattr_all_fs(bluetooth_t) -fs_search_auto_mountpoints(bluetooth_t) -fs_list_inotifyfs(bluetooth_t) - -#Handle bluetooth serial devices -term_use_unallocated_ttys(bluetooth_t) - -corecmd_exec_bin(bluetooth_t) -corecmd_exec_shell(bluetooth_t) - -domain_use_interactive_fds(bluetooth_t) -domain_dontaudit_search_all_domains_state(bluetooth_t) - -files_read_etc_files(bluetooth_t) -files_read_etc_runtime_files(bluetooth_t) -files_read_usr_files(bluetooth_t) - -auth_use_nsswitch(bluetooth_t) - -logging_send_syslog_msg(bluetooth_t) - -miscfiles_read_localization(bluetooth_t) -miscfiles_read_fonts(bluetooth_t) -miscfiles_read_hwdata(bluetooth_t) - -userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) -userdom_dontaudit_use_user_terminals(bluetooth_t) -userdom_dontaudit_search_user_home_dirs(bluetooth_t) - -optional_policy(` - dbus_system_bus_client(bluetooth_t) - dbus_connect_system_bus(bluetooth_t) - - optional_policy(` - cups_dbus_chat(bluetooth_t) - ') - - optional_policy(` - hal_dbus_chat(bluetooth_t) - ') - - optional_policy(` - networkmanager_dbus_chat(bluetooth_t) - ') - - optional_policy(` - pulseaudio_dbus_chat(bluetooth_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(bluetooth_t) -') - -optional_policy(` - udev_read_db(bluetooth_t) -') - -optional_policy(` - ppp_domtrans(bluetooth_t) -') - -######################################## -# -# Bluetooth helper programs local policy -# - -allow bluetooth_helper_t self:capability sys_nice; -allow bluetooth_helper_t self:process getsched; -allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; -allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow bluetooth_helper_t self:tcp_socket create_socket_perms; -allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; - -allow bluetooth_helper_t bluetooth_t:socket { read write }; - -manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file }) - -manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file }) - -kernel_read_system_state(bluetooth_helper_t) -kernel_read_kernel_sysctls(bluetooth_helper_t) - -dev_read_urand(bluetooth_helper_t) - -term_dontaudit_use_all_ttys(bluetooth_helper_t) - -corecmd_exec_bin(bluetooth_helper_t) -corecmd_exec_shell(bluetooth_helper_t) - -domain_read_all_domains_state(bluetooth_helper_t) - -files_read_etc_files(bluetooth_helper_t) -files_read_etc_runtime_files(bluetooth_helper_t) -files_read_usr_files(bluetooth_helper_t) -files_dontaudit_list_default(bluetooth_helper_t) - -locallogin_dontaudit_use_fds(bluetooth_helper_t) - -logging_send_syslog_msg(bluetooth_helper_t) - -miscfiles_read_localization(bluetooth_helper_t) - -sysnet_read_config(bluetooth_helper_t) - -optional_policy(` - bluetooth_dbus_chat(bluetooth_helper_t) - - dbus_system_bus_client(bluetooth_helper_t) - dbus_connect_system_bus(bluetooth_helper_t) -') - -optional_policy(` - nscd_socket_use(bluetooth_helper_t) -') - -optional_policy(` - xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) -') diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc deleted file mode 100644 index 8c8406342..000000000 --- a/policy/modules/services/bugzilla.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) - -/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if deleted file mode 100644 index de89d0f10..000000000 --- a/policy/modules/services/bugzilla.if +++ /dev/null @@ -1,77 +0,0 @@ -## Bugzilla server - -######################################## -## -## Allow the specified domain to search -## bugzilla directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`bugzilla_search_content',` - gen_require(` - type httpd_bugzilla_content_t; - ') - - allow $1 httpd_bugzilla_content_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## bugzilla script unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`bugzilla_dontaudit_rw_stream_sockets',` - gen_require(` - type httpd_bugzilla_script_t; - ') - - dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an bugzilla environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the bugzilla domain. -## -## -## -# -interface(`bugzilla_admin',` - gen_require(` - type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; - ') - - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_bugzilla_script_t) - - files_list_var_lib(httpd_bugzilla_script_t) - - apache_list_sys_content($1) - admin_pattern($1, httpd_bugzilla_script_exec_t) - admin_pattern($1, httpd_bugzilla_script_t) - admin_pattern($1, httpd_bugzilla_content_t) - admin_pattern($1, httpd_bugzilla_htaccess_t) - admin_pattern($1, httpd_bugzilla_rw_content_t) - admin_pattern($1, httpd_bugzilla_ra_content_t) -') diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te deleted file mode 100644 index 048abbf7a..000000000 --- a/policy/modules/services/bugzilla.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(bugzilla, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(bugzilla) - -######################################## -# -# bugzilla local policy -# - -allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; -allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; -allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; - -corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) -corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) -corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) -corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) -corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) -corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) -corenet_tcp_connect_http_port(httpd_bugzilla_script_t) -corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) -corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) -corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) - -files_search_var_lib(httpd_bugzilla_script_t) - -sysnet_read_config(httpd_bugzilla_script_t) -sysnet_use_ldap(httpd_bugzilla_script_t) - -optional_policy(` - mta_send_mail(httpd_bugzilla_script_t) -') - -optional_policy(` - mysql_search_db(httpd_bugzilla_script_t) - mysql_stream_connect(httpd_bugzilla_script_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_bugzilla_script_t) -') diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc deleted file mode 100644 index 5432d0e57..000000000 --- a/policy/modules/services/canna.fc +++ /dev/null @@ -1,23 +0,0 @@ -/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0) -/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0) - -/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0) -/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0) - -# -# /var -# -/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) -/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0) - -/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0) -/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0) - -/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) -/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) -/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if deleted file mode 100644 index 4a26b0cbe..000000000 --- a/policy/modules/services/canna.if +++ /dev/null @@ -1,61 +0,0 @@ -## Canna - kana-kanji conversion server - -######################################## -## -## Connect to Canna using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`canna_stream_connect',` - gen_require(` - type canna_t, canna_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) -') - -######################################## -## -## All of the rules required to administrate -## an canna environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the canna domain. -## -## -## -# -interface(`canna_admin',` - gen_require(` - type canna_t, canna_log_t, canna_var_lib_t; - type canna_var_run_t, canna_initrc_exec_t; - ') - - allow $1 canna_t:process { ptrace signal_perms }; - ps_process_pattern($1, canna_t) - - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, canna_log_t) - - files_list_var_lib($1) - admin_pattern($1, canna_var_lib_t) - - files_list_pids($1) - admin_pattern($1, canna_var_run_t) -') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te deleted file mode 100644 index 1d25efe36..000000000 --- a/policy/modules/services/canna.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(canna, 1.11.0) - -######################################## -# -# Declarations -# - -type canna_t; -type canna_exec_t; -init_daemon_domain(canna_t, canna_exec_t) - -type canna_initrc_exec_t; -init_script_file(canna_initrc_exec_t) - -type canna_log_t; -logging_log_file(canna_log_t) - -type canna_var_lib_t; -files_type(canna_var_lib_t) - -type canna_var_run_t; -files_pid_file(canna_var_run_t) - -######################################## -# -# Local policy -# - -allow canna_t self:capability { setgid setuid net_bind_service }; -dontaudit canna_t self:capability sys_tty_config; -allow canna_t self:process signal_perms; -allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; -allow canna_t self:unix_dgram_socket create_stream_socket_perms; -allow canna_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(canna_t, canna_log_t, canna_log_t) -allow canna_t canna_log_t:dir setattr; -logging_log_filetrans(canna_t, canna_log_t, { file dir }) - -manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -files_var_lib_filetrans(canna_t, canna_var_lib_t, file) - -manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(canna_t) -kernel_read_system_state(canna_t) - -corenet_all_recvfrom_unlabeled(canna_t) -corenet_all_recvfrom_netlabel(canna_t) -corenet_tcp_sendrecv_generic_if(canna_t) -corenet_tcp_sendrecv_generic_node(canna_t) -corenet_tcp_sendrecv_all_ports(canna_t) -corenet_tcp_connect_all_ports(canna_t) -corenet_sendrecv_all_client_packets(canna_t) - -dev_read_sysfs(canna_t) - -fs_getattr_all_fs(canna_t) -fs_search_auto_mountpoints(canna_t) - -domain_use_interactive_fds(canna_t) - -files_read_etc_files(canna_t) -files_read_etc_runtime_files(canna_t) -files_read_usr_files(canna_t) -files_search_tmp(canna_t) -files_dontaudit_read_root_files(canna_t) - -logging_send_syslog_msg(canna_t) - -miscfiles_read_localization(canna_t) - -sysnet_read_config(canna_t) - -userdom_dontaudit_use_unpriv_user_fds(canna_t) -userdom_dontaudit_search_user_home_dirs(canna_t) - -optional_policy(` - nis_use_ypbind(canna_t) -') - -optional_policy(` - seutil_sigchld_newrole(canna_t) -') - -optional_policy(` - udev_read_db(canna_t) -') diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc deleted file mode 100644 index 8a7177d41..000000000 --- a/policy/modules/services/ccs.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0) - -/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) - -/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) -/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if deleted file mode 100644 index 6ee2cc8ca..000000000 --- a/policy/modules/services/ccs.if +++ /dev/null @@ -1,75 +0,0 @@ -## Cluster Configuration System - -######################################## -## -## Execute a domain transition to run ccs. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ccs_domtrans',` - gen_require(` - type ccs_t, ccs_exec_t; - ') - - domtrans_pattern($1, ccs_exec_t, ccs_t) -') - -######################################## -## -## Connect to ccs over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ccs_stream_connect',` - gen_require(` - type ccs_t, ccs_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t) -') - -######################################## -## -## Read cluster configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ccs_read_config',` - gen_require(` - type cluster_conf_t; - ') - - read_files_pattern($1, cluster_conf_t, cluster_conf_t) -') - -######################################## -## -## Manage cluster configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ccs_manage_config',` - gen_require(` - type cluster_conf_t; - ') - - manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t) - manage_files_pattern($1, cluster_conf_t, cluster_conf_t) -') diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te deleted file mode 100644 index 4c90b57ee..000000000 --- a/policy/modules/services/ccs.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(ccs, 1.5.0) - -######################################## -# -# Declarations -# - -type ccs_t; -type ccs_exec_t; -init_daemon_domain(ccs_t, ccs_exec_t) - -type cluster_conf_t; -files_type(cluster_conf_t) - -type ccs_tmp_t; -files_tmp_file(ccs_tmp_t) - -type ccs_tmpfs_t; -files_tmpfs_file(ccs_tmpfs_t) - -type ccs_var_lib_t; -logging_log_file(ccs_var_lib_t) - -type ccs_var_log_t; -logging_log_file(ccs_var_log_t) - -type ccs_var_run_t; -files_pid_file(ccs_var_run_t) - -######################################## -# -# ccs local policy -# - -allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; -allow ccs_t self:process { signal setrlimit setsched }; -dontaudit ccs_t self:process ptrace; -allow ccs_t self:fifo_file rw_fifo_file_perms; -allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow ccs_t self:unix_dgram_socket create_socket_perms; -allow ccs_t self:netlink_route_socket r_netlink_socket_perms; -allow ccs_t self:tcp_socket create_stream_socket_perms; -allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg }; -# cjp: this needs to be fixed to be specific -allow ccs_t self:socket create_socket_perms; - -manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t) - -# tmp file -allow ccs_t ccs_tmp_t:dir manage_dir_perms; -manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) -manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) -files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir }) - -manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) -manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) -fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file }) - -# var lib files -manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) -manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) -files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) - -allow ccs_t ccs_var_log_t:dir setattr; -manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) - -# pid file -manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(ccs_t) - -corecmd_list_bin(ccs_t) -corecmd_exec_bin(ccs_t) - -corenet_all_recvfrom_unlabeled(ccs_t) -corenet_all_recvfrom_netlabel(ccs_t) -corenet_tcp_sendrecv_generic_if(ccs_t) -corenet_udp_sendrecv_generic_if(ccs_t) -corenet_tcp_sendrecv_generic_node(ccs_t) -corenet_udp_sendrecv_generic_node(ccs_t) -corenet_tcp_sendrecv_all_ports(ccs_t) -corenet_udp_sendrecv_all_ports(ccs_t) -corenet_tcp_bind_generic_node(ccs_t) -corenet_udp_bind_generic_node(ccs_t) -corenet_tcp_bind_cluster_port(ccs_t) -corenet_udp_bind_cluster_port(ccs_t) -corenet_udp_bind_netsupport_port(ccs_t) - -dev_read_urand(ccs_t) - -files_read_etc_files(ccs_t) -files_read_etc_runtime_files(ccs_t) - -init_rw_script_tmp_files(ccs_t) - -logging_send_syslog_msg(ccs_t) - -miscfiles_read_localization(ccs_t) - -sysnet_dns_name_resolve(ccs_t) - -userdom_manage_unpriv_user_shared_mem(ccs_t) -userdom_manage_unpriv_user_semaphores(ccs_t) - -ifdef(`hide_broken_symptoms', ` - corecmd_dontaudit_write_bin_dirs(ccs_t) - files_manage_isid_type_files(ccs_t) -') - -optional_policy(` - aisexec_stream_connect(ccs_t) - corosync_stream_connect(ccs_t) -') - -optional_policy(` - unconfined_use_fds(ccs_t) -') diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc deleted file mode 100644 index 79295d605..000000000 --- a/policy/modules/services/certmaster.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) -/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) - -/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) - -/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) -/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if deleted file mode 100644 index fa627873a..000000000 --- a/policy/modules/services/certmaster.if +++ /dev/null @@ -1,145 +0,0 @@ -## Certmaster SSL certificate distribution service - -######################################## -## -## Execute a domain transition to run certmaster. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certmaster_domtrans',` - gen_require(` - type certmaster_t, certmaster_exec_t; - ') - - domtrans_pattern($1, certmaster_exec_t, certmaster_t) -') - -#################################### -## -## Execute certmaster in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_exec',` - gen_require(` - type certmaster_exec_t; - ') - - can_exec($1, certmaster_exec_t) - corecmd_search_bin($1) -') - -####################################### -## -## read certmaster logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_read_log',` - gen_require(` - type certmaster_var_log_t; - ') - - read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -####################################### -## -## Append to certmaster logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_append_log',` - gen_require(` - type certmaster_var_log_t; - ') - - append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -####################################### -## -## Create, read, write, and delete -## certmaster logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmaster_manage_log',` - gen_require(` - type certmaster_var_log_t; - ') - - manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) -') - -######################################## -## -## All of the rules required to administrate -## an snort environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`certmaster_admin',` - gen_require(` - type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; - type certmaster_etc_rw_t, certmaster_var_log_t; - type certmaster_initrc_exec_t; - ') - - allow $1 certmaster_t:process { ptrace signal_perms }; - ps_process_pattern($1, certmaster_t) - - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - miscfiles_manage_generic_cert_dirs($1) - miscfiles_manage_generic_cert_files($1) - - admin_pattern($1, certmaster_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, certmaster_var_run_t) - - logging_list_logs($1) - admin_pattern($1, certmaster_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, certmaster_var_lib_t) -') diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te deleted file mode 100644 index 338413216..000000000 --- a/policy/modules/services/certmaster.te +++ /dev/null @@ -1,71 +0,0 @@ -policy_module(certmaster, 1.2.0) - -######################################## -# -# Declarations -# - -type certmaster_t; -type certmaster_exec_t; -init_daemon_domain(certmaster_t, certmaster_exec_t) - -type certmaster_initrc_exec_t; -init_script_file(certmaster_initrc_exec_t) - -type certmaster_etc_rw_t; -files_type(certmaster_etc_rw_t) - -type certmaster_var_lib_t; -files_type(certmaster_var_lib_t) - -type certmaster_var_log_t; -logging_log_file(certmaster_var_log_t) - -type certmaster_var_run_t; -files_pid_file(certmaster_var_run_t) - -########################################### -# -# certmaster local policy -# - -allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config }; -allow certmaster_t self:tcp_socket create_stream_socket_perms; - -# config files -list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) -manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) - -# var/lib files for certmaster -manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) -manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t) -files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) - -# log files -manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) - -# pid file -manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) - -# read meminfo -kernel_read_system_state(certmaster_t) - -corecmd_search_bin(certmaster_t) -corecmd_getattr_bin_files(certmaster_t) - -corenet_tcp_bind_generic_node(certmaster_t) -corenet_tcp_bind_certmaster_port(certmaster_t) - -files_search_etc(certmaster_t) -files_list_var(certmaster_t) -files_search_var_lib(certmaster_t) - -auth_use_nsswitch(certmaster_t) - -miscfiles_read_localization(certmaster_t) - -miscfiles_manage_generic_cert_dirs(certmaster_t) -miscfiles_manage_generic_cert_files(certmaster_t) diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc deleted file mode 100644 index 5ad1a526f..000000000 --- a/policy/modules/services/certmonger.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) - -/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) - -/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if deleted file mode 100644 index 7a6e5baea..000000000 --- a/policy/modules/services/certmonger.if +++ /dev/null @@ -1,174 +0,0 @@ -## Certificate status monitor and PKI enrollment client - -######################################## -## -## Execute a domain transition to run certmonger. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certmonger_domtrans',` - gen_require(` - type certmonger_t, certmonger_exec_t; - ') - - domtrans_pattern($1, certmonger_exec_t, certmonger_t) -') - -######################################## -## -## Send and receive messages from -## certmonger over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_dbus_chat',` - gen_require(` - type certmonger_t; - class dbus send_msg; - ') - - allow $1 certmonger_t:dbus send_msg; - allow certmonger_t $1:dbus send_msg; -') - -######################################## -## -## Execute certmonger server in the certmonger domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`certmonger_initrc_domtrans',` - gen_require(` - type certmonger_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, certmonger_initrc_exec_t) -') - -######################################## -## -## Read certmonger PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_read_pid_files',` - gen_require(` - type certmonger_var_run_t; - ') - - files_search_pids($1) - allow $1 certmonger_var_run_t:file read_file_perms; -') - -######################################## -## -## Search certmonger lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_search_lib',` - gen_require(` - type certmonger_var_lib_t; - ') - - allow $1 certmonger_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read certmonger lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_read_lib_files',` - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## certmonger lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`certmonger_manage_lib_files',` - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an certmonger environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`certmonger_admin',` - gen_require(` - type certmonger_t, certmonger_initrc_exec_t; - type certmonger_var_lib_t, certmonger_var_run_t; - ') - - ps_process_pattern($1, certmonger_t) - allow $1 certmonger_t:process { ptrace signal_perms }; - - # Allow certmonger_t to restart the apache service - certmonger_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, certmonger_var_lib_t) - - files_search_pids($1) - admin_pattern($1, certmonger_var_run_t) -') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te deleted file mode 100644 index c3e3f79de..000000000 --- a/policy/modules/services/certmonger.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(certmonger, 1.1.0) - -######################################## -# -# Declarations -# - -type certmonger_t; -type certmonger_exec_t; -init_daemon_domain(certmonger_t, certmonger_exec_t) - -type certmonger_initrc_exec_t; -init_script_file(certmonger_initrc_exec_t) - -type certmonger_var_run_t; -files_pid_file(certmonger_var_run_t) - -type certmonger_var_lib_t; -files_type(certmonger_var_lib_t) - -######################################## -# -# certmonger local policy -# - -allow certmonger_t self:capability { kill sys_nice }; -allow certmonger_t self:process { getsched setsched sigkill }; -allow certmonger_t self:fifo_file rw_file_perms; -allow certmonger_t self:unix_stream_socket create_stream_socket_perms; -allow certmonger_t self:tcp_socket create_stream_socket_perms; -allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; - -manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } ) - -manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir }) - -corenet_tcp_sendrecv_generic_if(certmonger_t) -corenet_tcp_sendrecv_generic_node(certmonger_t) -corenet_tcp_sendrecv_all_ports(certmonger_t) -corenet_tcp_connect_certmaster_port(certmonger_t) - -dev_read_urand(certmonger_t) - -domain_use_interactive_fds(certmonger_t) - -files_read_etc_files(certmonger_t) -files_read_usr_files(certmonger_t) -files_list_tmp(certmonger_t) - -logging_send_syslog_msg(certmonger_t) - -miscfiles_read_localization(certmonger_t) -miscfiles_manage_generic_cert_files(certmonger_t) - -sysnet_dns_name_resolve(certmonger_t) - -optional_policy(` - dbus_system_bus_client(certmonger_t) - dbus_connect_system_bus(certmonger_t) -') - -optional_policy(` - kerberos_use(certmonger_t) -') - -optional_policy(` - pcscd_stream_connect(certmonger_t) -') diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc deleted file mode 100644 index b6bb46cf6..000000000 --- a/policy/modules/services/cgroup.fc +++ /dev/null @@ -1,15 +0,0 @@ -/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) -/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) - -/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) -/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) - -/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) -/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) - -/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) -/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) -/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) - -/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) -/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if deleted file mode 100644 index 33facaf26..000000000 --- a/policy/modules/services/cgroup.if +++ /dev/null @@ -1,199 +0,0 @@ -## libcg is a library that abstracts the control group file system in Linux. - -######################################## -## -## Execute a domain transition to run -## CG Clear. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_domtrans_cgclear',` - gen_require(` - type cgclear_t, cgclear_exec_t; - ') - - domtrans_pattern($1, cgclear_exec_t, cgclear_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute a domain transition to run -## CG config parser. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_domtrans_cgconfig',` - gen_require(` - type cgconfig_t, cgconfig_exec_t; - ') - - domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute a domain transition to run -## CG config parser. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_initrc_domtrans_cgconfig',` - gen_require(` - type cgconfig_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) -') - -######################################## -## -## Execute a domain transition to run -## CG rules engine daemon. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_domtrans_cgred',` - gen_require(` - type cgred_t, cgred_exec_t; - ') - - domtrans_pattern($1, cgred_exec_t, cgred_t) - corecmd_search_bin($1) -') - -######################################## -## -## Execute a domain transition to run -## CG rules engine daemon. -## domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cgroup_initrc_domtrans_cgred',` - gen_require(` - type cgred_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgred_initrc_exec_t) -') - -######################################## -## -## Execute a domain transition to -## run CG Clear and allow the -## specified role the CG Clear -## domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cgroup_run_cgclear',` - gen_require(` - type cgclear_t; - ') - - cgroup_domtrans_cgclear($1) - role $2 types cgclear_t; -') - -######################################## -## -## Connect to CG rules engine daemon -## over unix stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`cgroup_stream_connect_cgred', ` - gen_require(` - type cgred_var_run_t, cgred_t; - ') - - stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an cgroup environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cgroup_admin',` - gen_require(` - type cgred_t, cgconfig_t, cgred_var_run_t; - type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; - type cgrules_etc_t, cgclear_t; - ') - - allow $1 cgclear_t:process { ptrace signal_perms }; - ps_process_pattern($1, cgclear_t) - - allow $1 cgconfig_t:process { ptrace signal_perms }; - ps_process_pattern($1, cgconfig_t) - - allow $1 cgred_t:process { ptrace signal_perms }; - ps_process_pattern($1, cgred_t) - - admin_pattern($1, cgconfig_etc_t) - admin_pattern($1, cgrules_etc_t) - files_list_etc($1) - - admin_pattern($1, cgred_var_run_t) - files_list_pids($1) - - cgroup_initrc_domtrans_cgconfig($1) - domain_system_change_exemption($1) - role_transition $2 cgconfig_initrc_exec_t system_r; - allow $2 system_r; - - cgroup_initrc_domtrans_cgred($1) - role_transition $2 cgred_initrc_exec_t system_r; - - cgroup_run_cgclear($1, $2) -') diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te deleted file mode 100644 index 806191ada..000000000 --- a/policy/modules/services/cgroup.te +++ /dev/null @@ -1,109 +0,0 @@ -policy_module(cgroup, 1.1.0) - -######################################## -# -# Declarations -# - -type cgclear_t; -type cgclear_exec_t; -init_daemon_domain(cgclear_t, cgclear_exec_t) - -type cgred_t; -type cgred_exec_t; -init_daemon_domain(cgred_t, cgred_exec_t) - -type cgred_initrc_exec_t; -init_script_file(cgred_initrc_exec_t) - -type cgred_log_t; -logging_log_file(cgred_log_t) - -type cgred_var_run_t; -files_pid_file(cgred_var_run_t) - -type cgrules_etc_t; -files_config_file(cgrules_etc_t) - -type cgconfig_t; -type cgconfig_exec_t; -init_daemon_domain(cgconfig_t, cgconfig_exec_t) - -type cgconfig_initrc_exec_t; -init_script_file(cgconfig_initrc_exec_t) - -type cgconfig_etc_t; -files_config_file(cgconfig_etc_t) - -######################################## -# -# cgclear personal policy. -# - -allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; - -kernel_read_system_state(cgclear_t) - -domain_setpriority_all_domains(cgclear_t) - -fs_manage_cgroup_dirs(cgclear_t) -fs_manage_cgroup_files(cgclear_t) -fs_unmount_cgroup(cgclear_t) - -######################################## -# -# cgconfig personal policy. -# - -allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; - -allow cgconfig_t cgconfig_etc_t:file read_file_perms; - -# search will do. -kernel_list_unlabeled(cgconfig_t) -kernel_read_system_state(cgconfig_t) - -# /etc/nsswitch.conf, /etc/passwd -files_read_etc_files(cgconfig_t) - -fs_manage_cgroup_dirs(cgconfig_t) -fs_manage_cgroup_files(cgconfig_t) -fs_mount_cgroup(cgconfig_t) -fs_mounton_cgroup(cgconfig_t) -fs_unmount_cgroup(cgconfig_t) - -######################################## -# -# cgred personal policy. -# - -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; -allow cgred_t self:netlink_socket { write bind create read }; -allow cgred_t self:unix_dgram_socket { write create connect }; - -manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t) -logging_log_filetrans(cgred_t, cgred_log_t, file) - -allow cgred_t cgrules_etc_t:file read_file_perms; - -# rc script creates pid file -manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) - -kernel_read_system_state(cgred_t) - -domain_read_all_domains_state(cgred_t) -domain_setpriority_all_domains(cgred_t) - -files_getattr_all_files(cgred_t) -files_getattr_all_sockets(cgred_t) -files_read_all_symlinks(cgred_t) -# /etc/group -files_read_etc_files(cgred_t) - -fs_write_cgroup_files(cgred_t) - -logging_send_syslog_msg(cgred_t) - -miscfiles_read_localization(cgred_t) diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc deleted file mode 100644 index fd8cd0b31..000000000 --- a/policy/modules/services/chronyd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) - -/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) - -/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) - -/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) -/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) -/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if deleted file mode 100644 index 9a0da9462..000000000 --- a/policy/modules/services/chronyd.if +++ /dev/null @@ -1,105 +0,0 @@ -## Chrony NTP background daemon - -##################################### -## -## Execute chronyd in the chronyd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`chronyd_domtrans',` - gen_require(` - type chronyd_t, chronyd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chronyd_exec_t, chronyd_t) -') - -#################################### -## -## Execute chronyd -## -## -## -## Domain allowed access. -## -## -# -interface(`chronyd_exec',` - gen_require(` - type chronyd_exec_t; - ') - - can_exec($1, chronyd_exec_t) -') - -##################################### -## -## Read chronyd logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`chronyd_read_log',` - gen_require(` - type chronyd_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) -') - -#################################### -## -## All of the rules required to administrate -## an chronyd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the chronyd domain. -## -## -## -# -interface(`chronyd_admin',` - gen_require(` - type chronyd_t, chronyd_var_log_t; - type chronyd_var_run_t, chronyd_var_lib_t; - type chronyd_initrc_exec_t, chronyd_keys_t; - ') - - allow $1 chronyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, chronyd_t) - - init_labeled_script_domtrans($1, chronyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, chronyd_keys_t) - - logging_search_logs($1) - admin_pattern($1, chronyd_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, chronyd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, chronyd_var_run_t) - - files_search_tmp($1) - admin_pattern($1, chronyd_tmp_t) -') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te deleted file mode 100644 index fa82327a1..000000000 --- a/policy/modules/services/chronyd.te +++ /dev/null @@ -1,68 +0,0 @@ -policy_module(chronyd, 1.1.0) - -######################################## -# -# Declarations -# - -type chronyd_t; -type chronyd_exec_t; -init_daemon_domain(chronyd_t, chronyd_exec_t) - -type chronyd_initrc_exec_t; -init_script_file(chronyd_initrc_exec_t) - -type chronyd_keys_t; -files_type(chronyd_keys_t) - -type chronyd_var_lib_t; -files_type(chronyd_var_lib_t) - -type chronyd_var_log_t; -logging_log_file(chronyd_var_log_t) - -type chronyd_var_run_t; -files_pid_file(chronyd_var_run_t) - -######################################## -# -# Local policy -# - -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit }; -allow chronyd_t self:shm create_shm_perms; -allow chronyd_t self:udp_socket create_socket_perms; -allow chronyd_t self:unix_dgram_socket create_socket_perms; - -allow chronyd_t chronyd_keys_t:file read_file_perms; - -manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir }) - -manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) -logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir }) - -manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -files_pid_filetrans(chronyd_t, chronyd_var_run_t, file) - -corenet_udp_bind_ntp_port(chronyd_t) -# bind to udp/323 -corenet_udp_bind_chronyd_port(chronyd_t) - -# real time clock option -dev_rw_realtime_clock(chronyd_t) - -auth_use_nsswitch(chronyd_t) - -logging_send_syslog_msg(chronyd_t) - -miscfiles_read_localization(chronyd_t) - -optional_policy(` - gpsd_rw_shm(chronyd_t) -') diff --git a/policy/modules/services/cipe.fc b/policy/modules/services/cipe.fc deleted file mode 100644 index afcdf02b3..000000000 --- a/policy/modules/services/cipe.fc +++ /dev/null @@ -1,4 +0,0 @@ -# -# /usr -# -/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0) diff --git a/policy/modules/services/cipe.if b/policy/modules/services/cipe.if deleted file mode 100644 index b5fd6689b..000000000 --- a/policy/modules/services/cipe.if +++ /dev/null @@ -1 +0,0 @@ -## Encrypted tunnel daemon diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te deleted file mode 100644 index 8e1ef38b8..000000000 --- a/policy/modules/services/cipe.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(cipe, 1.5.0) - -######################################## -# -# Declarations -# - -type ciped_t; -type ciped_exec_t; -init_daemon_domain(ciped_t, ciped_exec_t) - -######################################## -# -# Local policy -# - -allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; -dontaudit ciped_t self:capability sys_tty_config; -allow ciped_t self:process signal_perms; -allow ciped_t self:fifo_file rw_fifo_file_perms; -allow ciped_t self:unix_dgram_socket create_socket_perms; -allow ciped_t self:unix_stream_socket create_socket_perms; -allow ciped_t self:udp_socket create_socket_perms; - -kernel_read_kernel_sysctls(ciped_t) -kernel_read_system_state(ciped_t) - -corecmd_exec_shell(ciped_t) -corecmd_exec_bin(ciped_t) - -corenet_all_recvfrom_unlabeled(ciped_t) -corenet_all_recvfrom_netlabel(ciped_t) -corenet_udp_sendrecv_generic_if(ciped_t) -corenet_udp_sendrecv_generic_node(ciped_t) -corenet_udp_sendrecv_all_ports(ciped_t) -corenet_udp_bind_generic_node(ciped_t) -# cipe uses the afs3-bos port (udp 7007) -corenet_udp_bind_afs_bos_port(ciped_t) -corenet_sendrecv_afs_bos_server_packets(ciped_t) - -dev_read_sysfs(ciped_t) -dev_read_rand(ciped_t) -# for SSP -dev_read_urand(ciped_t) - -domain_use_interactive_fds(ciped_t) - -files_read_etc_files(ciped_t) -files_read_etc_runtime_files(ciped_t) -files_dontaudit_search_var(ciped_t) - -fs_search_auto_mountpoints(ciped_t) - -logging_send_syslog_msg(ciped_t) - -miscfiles_read_localization(ciped_t) - -sysnet_read_config(ciped_t) - -userdom_dontaudit_use_unpriv_user_fds(ciped_t) - -optional_policy(` - nis_use_ypbind(ciped_t) -') - -optional_policy(` - seutil_sigchld_newrole(ciped_t) -') - -optional_policy(` - udev_read_db(ciped_t) -') diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc deleted file mode 100644 index e8e9a2131..000000000 --- a/policy/modules/services/clamav.fc +++ /dev/null @@ -1,20 +0,0 @@ -/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) -/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) - -/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) -/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) -/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - -/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) -/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - -/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if deleted file mode 100644 index 1f115723b..000000000 --- a/policy/modules/services/clamav.if +++ /dev/null @@ -1,192 +0,0 @@ -## ClamAV Virus Scanner - -######################################## -## -## Execute a domain transition to run clamd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clamav_domtrans',` - gen_require(` - type clamd_t, clamd_exec_t; - ') - - domtrans_pattern($1, clamd_exec_t, clamd_t) -') - -######################################## -## -## Connect to run clamd. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_stream_connect',` - gen_require(` - type clamd_t, clamd_var_run_t; - ') - - stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) -') - -######################################## -## -## Allow the specified domain to append -## to clamav log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_append_log',` - gen_require(` - type clamav_log_t; - ') - - logging_search_logs($1) - allow $1 clamav_log_t:dir list_dir_perms; - append_files_pattern($1, clamav_log_t, clamav_log_t) -') - -######################################## -## -## Read clamav configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_read_config',` - gen_require(` - type clamd_etc_t; - ') - - files_search_etc($1) - allow $1 clamd_etc_t:file read_file_perms; -') - -######################################## -## -## Search clamav libraries directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_search_lib',` - gen_require(` - type clamd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 clamd_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## Execute a domain transition to run clamscan. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clamav_domtrans_clamscan',` - gen_require(` - type clamscan_t, clamscan_exec_t; - ') - - domtrans_pattern($1, clamscan_exec_t, clamscan_t) -') - -######################################## -## -## Execute clamscan without a transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`clamav_exec_clamscan',` - gen_require(` - type clamscan_exec_t; - ') - - can_exec($1, clamscan_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an clamav environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the clamav domain. -## -## -## -# -interface(`clamav_admin',` - gen_require(` - type clamd_t, clamd_etc_t, clamd_tmp_t; - type clamd_var_log_t, clamd_var_lib_t; - type clamd_var_run_t, clamscan_t, clamscan_tmp_t; - type clamd_initrc_exec_t; - type freshclam_t, freshclam_var_log_t; - ') - - allow $1 clamd_t:process { ptrace signal_perms }; - ps_process_pattern($1, clamd_t) - - allow $1 clamscan_t:process { ptrace signal_perms }; - ps_process_pattern($1, clamscan_t) - - allow $1 freshclam_t:process { ptrace signal_perms }; - ps_process_pattern($1, freshclam_t) - - init_labeled_script_domtrans($1, clamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, clamd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, clamd_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, clamd_var_log_t) - - files_list_pids($1) - admin_pattern($1, clamd_var_run_t) - - files_list_tmp($1) - admin_pattern($1, clamd_tmp_t) - - admin_pattern($1, clamscan_tmp_t) - - admin_pattern($1, freshclam_var_log_t) -') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te deleted file mode 100644 index f75832372..000000000 --- a/policy/modules/services/clamav.te +++ /dev/null @@ -1,275 +0,0 @@ -policy_module(clamav, 1.9.0) - -## -##

-## Allow clamd to use JIT compiler -##

-## -gen_tunable(clamd_use_jit, false) - -######################################## -# -# Declarations -# - -# Main clamd domain -type clamd_t; -type clamd_exec_t; -init_daemon_domain(clamd_t, clamd_exec_t) - -# configuration files -type clamd_etc_t; -files_config_file(clamd_etc_t) - -type clamd_initrc_exec_t; -init_script_file(clamd_initrc_exec_t) - -# tmp files -type clamd_tmp_t; -files_tmp_file(clamd_tmp_t) - -# log files -type clamd_var_log_t; -logging_log_file(clamd_var_log_t) - -# var/lib files -type clamd_var_lib_t; -files_type(clamd_var_lib_t) - -# pid files -type clamd_var_run_t; -files_pid_file(clamd_var_run_t) -typealias clamd_var_run_t alias clamd_sock_t; - -type clamscan_t; -type clamscan_exec_t; -init_daemon_domain(clamscan_t, clamscan_exec_t) - -# tmp files -type clamscan_tmp_t; -files_tmp_file(clamscan_tmp_t) - -type freshclam_t; -type freshclam_exec_t; -init_daemon_domain(freshclam_t, freshclam_exec_t) - -# log files -type freshclam_var_log_t; -logging_log_file(freshclam_var_log_t) - -######################################## -# -# clamd local policy -# - -allow clamd_t self:capability { kill setgid setuid dac_override }; -dontaudit clamd_t self:capability sys_tty_config; -allow clamd_t self:fifo_file rw_fifo_file_perms; -allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow clamd_t self:unix_dgram_socket create_socket_perms; -allow clamd_t self:tcp_socket { listen accept }; - -# configuration files -allow clamd_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) - -# tmp files -manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) -manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) -files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) - -# var/lib files for clamd -manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) - -# log files -manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) - -# pid file -manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir }) - -kernel_dontaudit_list_proc(clamd_t) -kernel_read_sysctl(clamd_t) -kernel_read_kernel_sysctls(clamd_t) -kernel_read_system_state(clamd_t) - -corecmd_exec_shell(clamd_t) - -corenet_all_recvfrom_unlabeled(clamd_t) -corenet_all_recvfrom_netlabel(clamd_t) -corenet_tcp_sendrecv_generic_if(clamd_t) -corenet_tcp_sendrecv_generic_node(clamd_t) -corenet_tcp_sendrecv_all_ports(clamd_t) -corenet_tcp_sendrecv_clamd_port(clamd_t) -corenet_tcp_bind_generic_node(clamd_t) -corenet_tcp_bind_clamd_port(clamd_t) -corenet_tcp_bind_generic_port(clamd_t) -corenet_tcp_connect_generic_port(clamd_t) -corenet_sendrecv_clamd_server_packets(clamd_t) - -dev_read_rand(clamd_t) -dev_read_urand(clamd_t) - -domain_use_interactive_fds(clamd_t) - -files_read_etc_files(clamd_t) -files_read_etc_runtime_files(clamd_t) -files_search_spool(clamd_t) - -auth_use_nsswitch(clamd_t) - -logging_send_syslog_msg(clamd_t) - -miscfiles_read_localization(clamd_t) - -cron_use_fds(clamd_t) -cron_use_system_job_fds(clamd_t) -cron_rw_pipes(clamd_t) - -mta_read_config(clamd_t) -mta_send_mail(clamd_t) - -optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) - amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) - amavis_create_pid_files(clamd_t) -') - -optional_policy(` - exim_read_spool_files(clamd_t) -') - -tunable_policy(`clamd_use_jit',` - allow clamd_t self:process execmem; -', ` - dontaudit clamd_t self:process execmem; -') - -######################################## -# -# Freshclam local policy -# - -allow freshclam_t self:capability { setgid setuid dac_override }; -allow freshclam_t self:fifo_file rw_fifo_file_perms; -allow freshclam_t self:unix_stream_socket create_stream_socket_perms; -allow freshclam_t self:unix_dgram_socket create_socket_perms; -allow freshclam_t self:tcp_socket { listen accept }; - -# configuration files -allow freshclam_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) - -# var/lib files together with clamd -manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) -manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) - -# pidfiles- var/run together with clamd -manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) -manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(freshclam_t, clamd_var_run_t, file) - -# log files (own logfiles only) -manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) -allow freshclam_t freshclam_var_log_t:dir setattr; -allow freshclam_t clamd_var_log_t:dir search_dir_perms; -logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) - -corenet_all_recvfrom_unlabeled(freshclam_t) -corenet_all_recvfrom_netlabel(freshclam_t) -corenet_tcp_sendrecv_generic_if(freshclam_t) -corenet_tcp_sendrecv_generic_node(freshclam_t) -corenet_tcp_sendrecv_all_ports(freshclam_t) -corenet_tcp_sendrecv_clamd_port(freshclam_t) -corenet_tcp_connect_http_port(freshclam_t) -corenet_sendrecv_http_client_packets(freshclam_t) - -dev_read_rand(freshclam_t) -dev_read_urand(freshclam_t) - -domain_use_interactive_fds(freshclam_t) - -files_read_etc_files(freshclam_t) -files_read_etc_runtime_files(freshclam_t) - -auth_use_nsswitch(freshclam_t) - -logging_send_syslog_msg(freshclam_t) - -miscfiles_read_localization(freshclam_t) - -clamav_stream_connect(freshclam_t) - -optional_policy(` - cron_system_entry(freshclam_t, freshclam_exec_t) -') - -tunable_policy(`clamd_use_jit',` - allow freshclam_t self:process execmem; -', ` - dontaudit freshclam_t self:process execmem; -') - -######################################## -# -# clamscam local policy -# - -allow clamscan_t self:capability { setgid setuid dac_override }; -allow clamscan_t self:fifo_file rw_file_perms; -allow clamscan_t self:unix_stream_socket create_stream_socket_perms; -allow clamscan_t self:unix_dgram_socket create_socket_perms; -allow clamscan_t self:tcp_socket create_stream_socket_perms; - -# configuration files -allow clamscan_t clamd_etc_t:dir list_dir_perms; -read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) -read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t) - -# tmp files -manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) -manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t) -files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) - -# var/lib files together with clamd -manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) -allow clamscan_t clamd_var_lib_t:dir list_dir_perms; - -corenet_all_recvfrom_unlabeled(clamscan_t) -corenet_all_recvfrom_netlabel(clamscan_t) -corenet_tcp_sendrecv_generic_if(clamscan_t) -corenet_tcp_sendrecv_generic_node(clamscan_t) -corenet_tcp_sendrecv_all_ports(clamscan_t) -corenet_tcp_sendrecv_clamd_port(clamscan_t) -corenet_tcp_connect_clamd_port(clamscan_t) - -kernel_read_kernel_sysctls(clamscan_t) - -files_read_etc_files(clamscan_t) -files_read_etc_runtime_files(clamscan_t) -files_search_var_lib(clamscan_t) - -init_read_utmp(clamscan_t) -init_dontaudit_write_utmp(clamscan_t) - -miscfiles_read_localization(clamscan_t) -miscfiles_read_public_files(clamscan_t) - -clamav_stream_connect(clamscan_t) - -mta_send_mail(clamscan_t) - -optional_policy(` - amavis_read_spool_files(clamscan_t) -') - -optional_policy(` - apache_read_sys_content(clamscan_t) -') diff --git a/policy/modules/services/clockspeed.fc b/policy/modules/services/clockspeed.fc deleted file mode 100644 index a7aa38585..000000000 --- a/policy/modules/services/clockspeed.fc +++ /dev/null @@ -1,14 +0,0 @@ - -# -# /usr -# -/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) -/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0) -/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0) - -# -# /var -# -/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0) diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if deleted file mode 100644 index 07976176c..000000000 --- a/policy/modules/services/clockspeed.if +++ /dev/null @@ -1,44 +0,0 @@ -## Clockspeed simple network time protocol client - -######################################## -## -## Execute clockspeed utilities in the clockspeed_cli domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clockspeed_domtrans_cli',` - gen_require(` - type clockspeed_cli_t, clockspeed_cli_exec_t; - ') - - domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) -') - -######################################## -## -## Allow the specified role the clockspeed_cli domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`clockspeed_run_cli',` - gen_require(` - type clockspeed_cli_t; - ') - - role $2 types clockspeed_cli_t; - clockspeed_domtrans_cli($1) -') diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te deleted file mode 100644 index b40f3f7b9..000000000 --- a/policy/modules/services/clockspeed.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(clockspeed, 1.5.0) - -######################################## -# -# Declarations -# - -type clockspeed_cli_t; -type clockspeed_cli_exec_t; -application_domain(clockspeed_cli_t, clockspeed_cli_exec_t) - -type clockspeed_srv_t; -type clockspeed_srv_exec_t; -init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t) - -type clockspeed_var_lib_t; -files_type(clockspeed_var_lib_t) - -######################################## -# -# Client local policy -# - -allow clockspeed_cli_t self:capability sys_time; -allow clockspeed_cli_t self:udp_socket create_socket_perms; - -read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - -corenet_all_recvfrom_unlabeled(clockspeed_cli_t) -corenet_all_recvfrom_netlabel(clockspeed_cli_t) -corenet_udp_sendrecv_generic_if(clockspeed_cli_t) -corenet_udp_sendrecv_generic_node(clockspeed_cli_t) -corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) -corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) - -files_list_var_lib(clockspeed_cli_t) -files_read_etc_files(clockspeed_cli_t) - -miscfiles_read_localization(clockspeed_cli_t) - -userdom_use_user_terminals(clockspeed_cli_t) - -######################################## -# -# Server local policy -# - -allow clockspeed_srv_t self:capability { sys_time net_bind_service }; -allow clockspeed_srv_t self:udp_socket create_socket_perms; -allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms; -allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; - -manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) -manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - -corenet_all_recvfrom_unlabeled(clockspeed_srv_t) -corenet_all_recvfrom_netlabel(clockspeed_srv_t) -corenet_udp_sendrecv_generic_if(clockspeed_srv_t) -corenet_udp_sendrecv_generic_node(clockspeed_srv_t) -corenet_udp_sendrecv_ntp_port(clockspeed_srv_t) -corenet_udp_bind_generic_node(clockspeed_srv_t) -corenet_udp_bind_clockspeed_port(clockspeed_srv_t) -corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t) - -files_read_etc_files(clockspeed_srv_t) -files_list_var_lib(clockspeed_srv_t) - -miscfiles_read_localization(clockspeed_srv_t) - -optional_policy(` - daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) -') diff --git a/policy/modules/services/clogd.fc b/policy/modules/services/clogd.fc deleted file mode 100644 index 6793948a8..000000000 --- a/policy/modules/services/clogd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) - -/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if deleted file mode 100644 index c0a66a412..000000000 --- a/policy/modules/services/clogd.if +++ /dev/null @@ -1,79 +0,0 @@ -## clogd - Clustered Mirror Log Server - -###################################### -## -## Execute a domain transition to run clogd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`clogd_domtrans',` - gen_require(` - type clogd_t, clogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clogd_exec_t, clogd_t) -') - -##################################### -## -## Connect to clogd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`clogd_stream_connect',` - gen_require(` - type clogd_t, clogd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t) -') - -##################################### -## -## Allow read and write access to clogd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`clogd_rw_semaphores',` - gen_require(` - type clogd_t; - ') - - allow $1 clogd_t:sem rw_sem_perms; -') - -######################################## -## -## Read and write to group shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`clogd_rw_shm',` - gen_require(` - type clogd_t, clogd_tmpfs_t; - ') - - allow $1 clogd_t:shm rw_shm_perms; - allow $1 clogd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) - fs_search_tmpfs($1) -') diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te deleted file mode 100644 index 607733902..000000000 --- a/policy/modules/services/clogd.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(clogd, 1.0.0) - -######################################## -# -# Declarations -# - -type clogd_t; -type clogd_exec_t; -init_daemon_domain(clogd_t, clogd_exec_t) - -type clogd_tmpfs_t; -files_tmpfs_file(clogd_tmpfs_t) - -# pid files -type clogd_var_run_t; -files_pid_file(clogd_var_run_t) - -######################################## -# -# clogd local policy -# - -allow clogd_t self:capability { net_admin mknod }; -allow clogd_t self:process signal; - -allow clogd_t self:sem create_sem_perms; -allow clogd_t self:shm create_shm_perms; -allow clogd_t self:netlink_socket create_socket_perms; -allow clogd_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) -manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) -fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file }) - -# pid files -manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) -manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) -files_pid_filetrans(clogd_t, clogd_var_run_t, { file }) - -dev_read_lvm_control(clogd_t) -dev_manage_generic_blk_files(clogd_t) - -storage_raw_read_fixed_disk(clogd_t) -storage_raw_write_fixed_disk(clogd_t) - -logging_send_syslog_msg(clogd_t) - -miscfiles_read_localization(clogd_t) - -optional_policy(` - aisexec_stream_connect(clogd_t) - corosync_stream_connect(clogd_t) -') diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc deleted file mode 100644 index 049e2b611..000000000 --- a/policy/modules/services/cmirrord.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) - -/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) - -/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if deleted file mode 100644 index f8463c0f7..000000000 --- a/policy/modules/services/cmirrord.if +++ /dev/null @@ -1,113 +0,0 @@ -## Cluster mirror log daemon - -######################################## -## -## Execute a domain transition to run cmirrord. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cmirrord_domtrans',` - gen_require(` - type cmirrord_t, cmirrord_exec_t; - ') - - domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) -') - -######################################## -## -## Execute cmirrord server in the cmirrord domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cmirrord_initrc_domtrans',` - gen_require(` - type cmirrord_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) -') - -######################################## -## -## Read cmirrord PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cmirrord_read_pid_files',` - gen_require(` - type cmirrord_var_run_t; - ') - - files_search_pids($1) - allow $1 cmirrord_var_run_t:file read_file_perms; -') - -####################################### -## -## Read and write to cmirrord shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`cmirrord_rw_shm',` - gen_require(` - type cmirrord_t, cmirrord_tmpfs_t; - ') - - allow $1 cmirrord_t:shm rw_shm_perms; - - allow $1 cmirrord_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## -## All of the rules required to administrate -## an cmirrord environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cmirrord_admin',` - gen_require(` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; - ') - - allow $1 cmirrord_t:process { ptrace signal_perms }; - ps_process_pattern($1, cmirrord_t) - - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, cmirrord_var_run_t) -') diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te deleted file mode 100644 index 28fdd8ad9..000000000 --- a/policy/modules/services/cmirrord.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(cmirrord, 1.0.0) - -######################################## -# -# Declarations -# - -type cmirrord_t; -type cmirrord_exec_t; -init_daemon_domain(cmirrord_t, cmirrord_exec_t) - -type cmirrord_initrc_exec_t; -init_script_file(cmirrord_initrc_exec_t) - -type cmirrord_tmpfs_t; -files_tmpfs_file(cmirrord_tmpfs_t) - -type cmirrord_var_run_t; -files_pid_file(cmirrord_var_run_t) - -######################################## -# -# cmirrord local policy -# - -allow cmirrord_t self:capability { net_admin kill }; -dontaudit cmirrord_t self:capability sys_tty_config; -allow cmirrord_t self:process { setfscreate signal}; -allow cmirrord_t self:fifo_file rw_fifo_file_perms; -allow cmirrord_t self:sem create_sem_perms; -allow cmirrord_t self:shm create_shm_perms; -allow cmirrord_t self:netlink_socket create_socket_perms; -allow cmirrord_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) - -manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) -manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) -files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) - -domain_use_interactive_fds(cmirrord_t) -domain_obj_id_change_exemption(cmirrord_t) - -files_read_etc_files(cmirrord_t) - -storage_create_fixed_disk_dev(cmirrord_t) - -seutil_read_file_contexts(cmirrord_t) - -logging_send_syslog_msg(cmirrord_t) - -miscfiles_read_localization(cmirrord_t) - -optional_policy(` - corosync_stream_connect(cmirrord_t) -') diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc deleted file mode 100644 index 1cf6c4e4a..000000000 --- a/policy/modules/services/cobbler.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) - -/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) - -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if deleted file mode 100644 index 116d60f51..000000000 --- a/policy/modules/services/cobbler.if +++ /dev/null @@ -1,185 +0,0 @@ -## Cobbler installation server. -## -##

-## Cobbler is a Linux installation server that allows for -## rapid setup of network installation environments. It -## glues together and automates many associated Linux -## tasks so you do not have to hop between lots of various -## commands and applications when rolling out new systems, -## and, in some cases, changing existing ones. -##

-## - -######################################## -## -## Execute a domain transition to run cobblerd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cobblerd_domtrans',` - gen_require(` - type cobblerd_t, cobblerd_exec_t; - ') - - domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) -') - -######################################## -## -## Execute cobblerd server in the cobblerd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cobblerd_initrc_domtrans',` - gen_require(` - type cobblerd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) -') - -######################################## -## -## Read Cobbler content in /etc -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_read_config',` - gen_require(` - type cobbler_etc_t; - ') - - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) - files_search_etc($1) -') - -######################################## -## -## Do not audit attempts to read and write -## Cobbler log files (leaked fd). -## -## -## -## Domain to not audit. -## -## -# -interface(`cobbler_dontaudit_rw_log',` - gen_require(` - type cobbler_var_log_t; - ') - - dontaudit $1 cobbler_var_log_t:file rw_file_perms; -') - -######################################## -## -## Search cobbler dirs in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_search_lib',` - gen_require(` - type cobbler_var_lib_t; - ') - - search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Read cobbler files in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_read_lib_files',` - gen_require(` - type cobbler_var_lib_t; - ') - - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Manage cobbler files in /var/lib -## -## -## -## Domain allowed access. -## -## -# -interface(`cobbler_manage_lib_files',` - gen_require(` - type cobbler_var_lib_t; - ') - - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## All of the rules required to administrate -## an cobblerd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`cobblerd_admin',` - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t; - ') - - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, cobblerd_t, cobblerd_t) - - files_search_etc($1) - admin_pattern($1, cobbler_etc_t) - - files_list_var_lib($1) - admin_pattern($1, cobbler_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, cobbler_var_log_t) - - admin_pattern($1, httpd_cobbler_content_rw_t) - - cobblerd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cobblerd_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te deleted file mode 100644 index 0258b4811..000000000 --- a/policy/modules/services/cobbler.te +++ /dev/null @@ -1,128 +0,0 @@ -policy_module(cobbler, 1.1.0) - -######################################## -# -# Cobbler personal declarations. -# - -## -##

-## Allow Cobbler to modify public files -## used for public file transfer services. -##

-## -gen_tunable(cobbler_anon_write, false) - -type cobblerd_t; -type cobblerd_exec_t; -init_daemon_domain(cobblerd_t, cobblerd_exec_t) - -type cobblerd_initrc_exec_t; -init_script_file(cobblerd_initrc_exec_t) - -type cobbler_etc_t; -files_config_file(cobbler_etc_t) - -type cobbler_var_log_t; -logging_log_file(cobbler_var_log_t) - -type cobbler_var_lib_t; -files_type(cobbler_var_lib_t) - -######################################## -# -# Cobbler personal policy. -# - -allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; -allow cobblerd_t self:process { getsched setsched signal }; -allow cobblerd_t self:fifo_file rw_fifo_file_perms; -allow cobblerd_t self:tcp_socket create_stream_socket_perms; - -list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) -read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) - -manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) - -append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) - -kernel_read_system_state(cobblerd_t) - -corecmd_exec_bin(cobblerd_t) -corecmd_exec_shell(cobblerd_t) - -corenet_all_recvfrom_netlabel(cobblerd_t) -corenet_all_recvfrom_unlabeled(cobblerd_t) -corenet_sendrecv_cobbler_server_packets(cobblerd_t) -corenet_tcp_bind_cobbler_port(cobblerd_t) -corenet_tcp_bind_generic_node(cobblerd_t) -corenet_tcp_sendrecv_generic_if(cobblerd_t) -corenet_tcp_sendrecv_generic_node(cobblerd_t) -corenet_tcp_sendrecv_generic_port(cobblerd_t) - -dev_read_urand(cobblerd_t) - -files_read_usr_files(cobblerd_t) -files_list_boot(cobblerd_t) -files_list_tmp(cobblerd_t) -# read /etc/nsswitch.conf -files_read_etc_files(cobblerd_t) - -miscfiles_read_localization(cobblerd_t) -miscfiles_read_public_files(cobblerd_t) - -sysnet_read_config(cobblerd_t) -sysnet_rw_dhcp_config(cobblerd_t) -sysnet_write_config(cobblerd_t) - -tunable_policy(`cobbler_anon_write',` - miscfiles_manage_public_files(cobblerd_t) -') - -optional_policy(` - bind_read_config(cobblerd_t) - bind_write_config(cobblerd_t) - bind_domtrans_ndc(cobblerd_t) - bind_domtrans(cobblerd_t) - bind_initrc_domtrans(cobblerd_t) - bind_manage_zone(cobblerd_t) -') - -optional_policy(` - dhcpd_domtrans(cobblerd_t) - dhcpd_initrc_domtrans(cobblerd_t) -') - -optional_policy(` - dnsmasq_domtrans(cobblerd_t) - dnsmasq_initrc_domtrans(cobblerd_t) - dnsmasq_write_config(cobblerd_t) -') - -optional_policy(` - rpm_exec(cobblerd_t) -') - -optional_policy(` - rsync_read_config(cobblerd_t) - rsync_write_config(cobblerd_t) -') - -optional_policy(` - tftp_manage_rw_content(cobblerd_t) -') - -######################################## -# -# Cobbler web local policy. -# - -apache_content_template(cobbler) -manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc deleted file mode 100644 index 78b2fea29..000000000 --- a/policy/modules/services/colord.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) - -/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) -/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if deleted file mode 100644 index 733e4e630..000000000 --- a/policy/modules/services/colord.if +++ /dev/null @@ -1,59 +0,0 @@ -## GNOME color manager - -######################################## -## -## Execute a domain transition to run colord. -## -## -## -## Domain allowed access. -## -## -# -interface(`colord_domtrans',` - gen_require(` - type colord_t, colord_exec_t; - ') - - domtrans_pattern($1, colord_exec_t, colord_t) -') - -######################################## -## -## Send and receive messages from -## colord over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`colord_dbus_chat',` - gen_require(` - type colord_t; - class dbus send_msg; - ') - - allow $1 colord_t:dbus send_msg; - allow colord_t $1:dbus send_msg; -') - -###################################### -## -## Read colord lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`colord_read_lib_files',` - gen_require(` - type colord_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) -') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te deleted file mode 100644 index 74505cca5..000000000 --- a/policy/modules/services/colord.te +++ /dev/null @@ -1,100 +0,0 @@ -policy_module(colord, 1.0.0) - -######################################## -# -# Declarations -# - -type colord_t; -type colord_exec_t; -dbus_system_domain(colord_t, colord_exec_t) - -type colord_tmp_t; -files_tmp_file(colord_tmp_t) - -type colord_tmpfs_t; -files_tmpfs_file(colord_tmpfs_t) - -type colord_var_lib_t; -files_type(colord_var_lib_t) - -######################################## -# -# colord local policy -# -allow colord_t self:capability { dac_read_search dac_override }; -allow colord_t self:process signal; -allow colord_t self:fifo_file rw_fifo_file_perms; -allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; -allow colord_t self:udp_socket create_socket_perms; -allow colord_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) -manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) -files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) - -manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) -manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t) -fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file }) - -manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) -manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) -files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) - -kernel_getattr_proc_files(colord_t) -kernel_read_device_sysctls(colord_t) - -corenet_all_recvfrom_unlabeled(colord_t) -corenet_all_recvfrom_netlabel(colord_t) -corenet_udp_bind_generic_node(colord_t) -corenet_udp_bind_ipp_port(colord_t) -corenet_tcp_connect_ipp_port(colord_t) - -dev_read_video_dev(colord_t) -dev_write_video_dev(colord_t) -dev_rw_printer(colord_t) -dev_read_rand(colord_t) -dev_read_sysfs(colord_t) -dev_read_urand(colord_t) -dev_list_sysfs(colord_t) -dev_rw_generic_usb_dev(colord_t) - -domain_use_interactive_fds(colord_t) - -files_list_mnt(colord_t) -files_read_etc_files(colord_t) -files_read_usr_files(colord_t) - -fs_read_noxattr_fs_files(colord_t) - -logging_send_syslog_msg(colord_t) - -miscfiles_read_localization(colord_t) - -sysnet_dns_name_resolve(colord_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(colord_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(colord_t) -') - -optional_policy(` - cups_read_config(colord_t) - cups_read_rw_config(colord_t) - cups_stream_connect(colord_t) - cups_dbus_chat(colord_t) -') - -optional_policy(` - policykit_dbus_chat(colord_t) - policykit_domtrans_auth(colord_t) - policykit_read_lib(colord_t) - policykit_read_reload(colord_t) -') - -optional_policy(` - udev_read_db(colord_t) -') diff --git a/policy/modules/services/comsat.fc b/policy/modules/services/comsat.fc deleted file mode 100644 index e7633fa2b..000000000 --- a/policy/modules/services/comsat.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0) diff --git a/policy/modules/services/comsat.if b/policy/modules/services/comsat.if deleted file mode 100644 index afc4dfe7c..000000000 --- a/policy/modules/services/comsat.if +++ /dev/null @@ -1 +0,0 @@ -## Comsat, a biff server. diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te deleted file mode 100644 index 3d121fda7..000000000 --- a/policy/modules/services/comsat.te +++ /dev/null @@ -1,74 +0,0 @@ -policy_module(comsat, 1.7.0) - -######################################## -# -# Declarations -# - -type comsat_t; -type comsat_exec_t; -inetd_udp_service_domain(comsat_t, comsat_exec_t) -role system_r types comsat_t; - -type comsat_tmp_t; -files_tmp_file(comsat_tmp_t) - -type comsat_var_run_t; -files_pid_file(comsat_var_run_t) - -######################################## -# -# Local policy -# - -allow comsat_t self:capability { setuid setgid }; -allow comsat_t self:process signal_perms; -allow comsat_t self:fifo_file rw_fifo_file_perms; -allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow comsat_t self:tcp_socket connected_stream_socket_perms; -allow comsat_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) -manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) -files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) - -manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t) -files_pid_filetrans(comsat_t, comsat_var_run_t, file) - -kernel_read_kernel_sysctls(comsat_t) -kernel_read_network_state(comsat_t) -kernel_read_system_state(comsat_t) - -corenet_all_recvfrom_unlabeled(comsat_t) -corenet_all_recvfrom_netlabel(comsat_t) -corenet_tcp_sendrecv_generic_if(comsat_t) -corenet_udp_sendrecv_generic_if(comsat_t) -corenet_tcp_sendrecv_generic_node(comsat_t) -corenet_udp_sendrecv_generic_node(comsat_t) -corenet_udp_sendrecv_all_ports(comsat_t) - -dev_read_urand(comsat_t) - -fs_getattr_xattr_fs(comsat_t) - -files_read_etc_files(comsat_t) -files_list_usr(comsat_t) -files_search_spool(comsat_t) -files_search_home(comsat_t) - -auth_use_nsswitch(comsat_t) - -init_read_utmp(comsat_t) -init_dontaudit_write_utmp(comsat_t) - -logging_send_syslog_msg(comsat_t) - -miscfiles_read_localization(comsat_t) - -userdom_dontaudit_getattr_user_ttys(comsat_t) - -mta_getattr_spool(comsat_t) - -optional_policy(` - kerberos_use(comsat_t) -') diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc deleted file mode 100644 index 32233abf4..000000000 --- a/policy/modules/services/consolekit.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - -/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) - -/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if deleted file mode 100644 index fd15dfe1e..000000000 --- a/policy/modules/services/consolekit.if +++ /dev/null @@ -1,98 +0,0 @@ -## Framework for facilitating multiple user sessions on desktops. - -######################################## -## -## Execute a domain transition to run consolekit. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`consolekit_domtrans',` - gen_require(` - type consolekit_t, consolekit_exec_t; - ') - - domtrans_pattern($1, consolekit_exec_t, consolekit_t) -') - -######################################## -## -## Send and receive messages from -## consolekit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_dbus_chat',` - gen_require(` - type consolekit_t; - class dbus send_msg; - ') - - allow $1 consolekit_t:dbus send_msg; - allow consolekit_t $1:dbus send_msg; -') - -######################################## -## -## Read consolekit log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_read_log',` - gen_require(` - type consolekit_log_t; - ') - - read_files_pattern($1, consolekit_log_t, consolekit_log_t) - logging_search_logs($1) -') - -######################################## -## -## Manage consolekit log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_manage_log',` - gen_require(` - type consolekit_log_t; - ') - - manage_files_pattern($1, consolekit_log_t, consolekit_log_t) - files_search_pids($1) -') - -######################################## -## -## Read consolekit PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`consolekit_read_pid_files',` - gen_require(` - type consolekit_var_run_t; - ') - - files_search_pids($1) - allow $1 consolekit_var_run_t:dir list_dir_perms; - read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) -') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te deleted file mode 100644 index 42ed6a630..000000000 --- a/policy/modules/services/consolekit.te +++ /dev/null @@ -1,131 +0,0 @@ -policy_module(consolekit, 1.7.1) - -######################################## -# -# Declarations -# - -type consolekit_t; -type consolekit_exec_t; -init_daemon_domain(consolekit_t, consolekit_exec_t) - -type consolekit_log_t; -logging_log_file(consolekit_log_t) - -type consolekit_var_run_t; -files_pid_file(consolekit_var_run_t) - -######################################## -# -# consolekit local policy -# - -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -allow consolekit_t self:process { getsched signal }; -allow consolekit_t self:fifo_file rw_fifo_file_perms; -allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -allow consolekit_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -logging_log_filetrans(consolekit_t, consolekit_log_t, file) - -manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) - -kernel_read_system_state(consolekit_t) - -corecmd_exec_bin(consolekit_t) -corecmd_exec_shell(consolekit_t) - -dev_read_urand(consolekit_t) -dev_read_sysfs(consolekit_t) - -domain_read_all_domains_state(consolekit_t) -domain_use_interactive_fds(consolekit_t) -domain_dontaudit_ptrace_all_domains(consolekit_t) - -files_read_etc_files(consolekit_t) -files_read_usr_files(consolekit_t) -# needs to read /var/lib/dbus/machine-id -files_read_var_lib_files(consolekit_t) -files_search_all_mountpoints(consolekit_t) - -fs_list_inotifyfs(consolekit_t) - -mcs_ptrace_all(consolekit_t) - -term_use_all_terms(consolekit_t) - -auth_use_nsswitch(consolekit_t) -auth_manage_pam_console_data(consolekit_t) -auth_write_login_records(consolekit_t) - -init_telinit(consolekit_t) -init_rw_utmp(consolekit_t) - -logging_send_syslog_msg(consolekit_t) -logging_send_audit_msgs(consolekit_t) - -miscfiles_read_localization(consolekit_t) - -userdom_dontaudit_read_user_home_content_files(consolekit_t) -userdom_read_user_tmp_files(consolekit_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(consolekit_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(consolekit_t) -') - -optional_policy(` - dbus_system_domain(consolekit_t, consolekit_exec_t) - - optional_policy(` - hal_dbus_chat(consolekit_t) - ') - - optional_policy(` - rpm_dbus_chat(consolekit_t) - ') - - optional_policy(` - unconfined_dbus_chat(consolekit_t) - ') -') - -optional_policy(` - hal_ptrace(consolekit_t) -') - -optional_policy(` - policykit_dbus_chat(consolekit_t) - policykit_domtrans_auth(consolekit_t) - policykit_read_lib(consolekit_t) - policykit_read_reload(consolekit_t) -') - -optional_policy(` - type consolekit_tmpfs_t; - files_tmpfs_file(consolekit_tmpfs_t) - - xserver_read_xdm_pid(consolekit_t) - xserver_read_user_xauth(consolekit_t) - xserver_non_drawing_client(consolekit_t) - corenet_tcp_connect_xserver_port(consolekit_t) - xserver_stream_connect(consolekit_t) - xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) -') - -optional_policy(` - udev_domtrans(consolekit_t) - udev_read_db(consolekit_t) - udev_signal(consolekit_t) -') - -optional_policy(` - #reading .Xauthity - unconfined_stream_connect(consolekit_t) -') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc deleted file mode 100644 index 3a6d7eb23..000000000 --- a/policy/modules/services/corosync.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) - -/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) - -/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) - -/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) - -/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) - -/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) -/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if deleted file mode 100644 index 5220c9d51..000000000 --- a/policy/modules/services/corosync.if +++ /dev/null @@ -1,106 +0,0 @@ -## Corosync Cluster Engine - -######################################## -## -## Execute a domain transition to run corosync. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`corosync_domtrans',` - gen_require(` - type corosync_t, corosync_exec_t; - ') - - domtrans_pattern($1, corosync_exec_t, corosync_t) -') - -####################################### -## -## Allow the specified domain to read corosync's log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`corosync_read_log',` - gen_require(` - type corosync_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t) - read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) -') - -##################################### -## -## Connect to corosync over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`corosync_stream_connect',` - gen_require(` - type corosync_t, corosync_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) -') - -###################################### -## -## All of the rules required to administrate -## an corosync environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the corosyncd domain. -## -## -## -# -interface(`corosyncd_admin',` - gen_require(` - type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; - type corosync_initrc_exec_t; - ') - - allow $1 corosync_t:process { ptrace signal_perms }; - ps_process_pattern($1, corosync_t) - - init_labeled_script_domtrans($1, corosync_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, corosync_tmp_t) - - admin_pattern($1, corosync_tmpfs_t) - - files_list_var_lib($1) - admin_pattern($1, corosync_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, corosync_var_log_t) - - files_list_pids($1) - admin_pattern($1, corosync_var_run_t) -') diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te deleted file mode 100644 index 04969e599..000000000 --- a/policy/modules/services/corosync.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(corosync, 1.0.0) - -######################################## -# -# Declarations -# - -type corosync_t; -type corosync_exec_t; -init_daemon_domain(corosync_t, corosync_exec_t) - -type corosync_initrc_exec_t; -init_script_file(corosync_initrc_exec_t) - -type corosync_tmp_t; -files_tmp_file(corosync_tmp_t) - -type corosync_tmpfs_t; -files_tmpfs_file(corosync_tmpfs_t) - -type corosync_var_lib_t; -files_type(corosync_var_lib_t) - -type corosync_var_log_t; -logging_log_file(corosync_var_log_t) - -type corosync_var_run_t; -files_pid_file(corosync_var_run_t) - -######################################## -# -# corosync local policy -# - -allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal }; - -allow corosync_t self:fifo_file rw_fifo_file_perms; -allow corosync_t self:sem create_sem_perms; -allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow corosync_t self:unix_dgram_socket create_socket_perms; -allow corosync_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) - -manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) - -manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) - -manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) - -manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) - -kernel_read_system_state(corosync_t) - -corecmd_exec_bin(corosync_t) - -corenet_udp_bind_netsupport_port(corosync_t) - -dev_read_urand(corosync_t) - -domain_read_all_domains_state(corosync_t) - -files_manage_mounttab(corosync_t) - -auth_use_nsswitch(corosync_t) - -init_read_script_state(corosync_t) -init_rw_script_tmp_files(corosync_t) - -logging_send_syslog_msg(corosync_t) - -miscfiles_read_localization(corosync_t) - -userdom_rw_user_tmpfs_files(corosync_t) - -optional_policy(` - ccs_read_config(corosync_t) -') - -optional_policy(` - # to communication with RHCS - rhcs_rw_dlm_controld_semaphores(corosync_t) - - rhcs_rw_fenced_semaphores(corosync_t) - - rhcs_rw_gfs_controld_semaphores(corosync_t) -') - -optional_policy(` - rgmanager_manage_tmpfs_files(corosync_t) -') diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc deleted file mode 100644 index da786b9dd..000000000 --- a/policy/modules/services/courier.fc +++ /dev/null @@ -1,30 +0,0 @@ -/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) - -/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - -/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) - -/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) -/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) - -ifdef(`distro_gentoo',` -/usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) -') - -/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) -/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) - -/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) - -/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if deleted file mode 100644 index 99713375d..000000000 --- a/policy/modules/services/courier.if +++ /dev/null @@ -1,216 +0,0 @@ -## Courier IMAP and POP3 email servers - -######################################## -## -## Template for creating courier server processes. -## -## -## -## Prefix name of the server process. -## -## -# -template(`courier_domain_template',` - - ############################## - # - # Declarations - # - - type courier_$1_t; - type courier_$1_exec_t; - init_daemon_domain(courier_$1_t, courier_$1_exec_t) - - ############################## - # - # Declarations - # - - allow courier_$1_t self:capability dac_override; - dontaudit courier_$1_t self:capability sys_tty_config; - allow courier_$1_t self:process { setpgid signal_perms }; - allow courier_$1_t self:fifo_file { read write getattr }; - allow courier_$1_t self:tcp_socket create_stream_socket_perms; - allow courier_$1_t self:udp_socket create_socket_perms; - - can_exec(courier_$1_t, courier_$1_exec_t) - - read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) - allow courier_$1_t courier_etc_t:dir list_dir_perms; - - manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - files_search_pids(courier_$1_t) - files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) - - kernel_read_system_state(courier_$1_t) - kernel_read_kernel_sysctls(courier_$1_t) - - corecmd_exec_bin(courier_$1_t) - - corenet_all_recvfrom_unlabeled(courier_$1_t) - corenet_all_recvfrom_netlabel(courier_$1_t) - corenet_tcp_sendrecv_generic_if(courier_$1_t) - corenet_udp_sendrecv_generic_if(courier_$1_t) - corenet_tcp_sendrecv_generic_node(courier_$1_t) - corenet_udp_sendrecv_generic_node(courier_$1_t) - corenet_tcp_sendrecv_all_ports(courier_$1_t) - corenet_udp_sendrecv_all_ports(courier_$1_t) - - dev_read_sysfs(courier_$1_t) - - domain_use_interactive_fds(courier_$1_t) - - files_read_etc_files(courier_$1_t) - files_read_etc_runtime_files(courier_$1_t) - files_read_usr_files(courier_$1_t) - - fs_getattr_xattr_fs(courier_$1_t) - fs_search_auto_mountpoints(courier_$1_t) - - logging_send_syslog_msg(courier_$1_t) - - sysnet_read_config(courier_$1_t) - - userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) - - optional_policy(` - seutil_sigchld_newrole(courier_$1_t) - ') - - optional_policy(` - udev_read_db(courier_$1_t) - ') -') - -######################################## -## -## Execute the courier authentication daemon with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`courier_domtrans_authdaemon',` - gen_require(` - type courier_authdaemon_t, courier_authdaemon_exec_t; - ') - - domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) -') - -######################################## -## -## Execute the courier POP3 and IMAP server with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`courier_domtrans_pop',` - gen_require(` - type courier_pop_t, courier_pop_exec_t; - ') - - domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) -') - -######################################## -## -## Read courier config files -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_read_config',` - gen_require(` - type courier_etc_t; - ') - - read_files_pattern($1, courier_etc_t, courier_etc_t) -') - -######################################## -## -## Create, read, write, and delete courier -## spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_manage_spool_dirs',` - gen_require(` - type courier_spool_t; - ') - - manage_dirs_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## -## Create, read, write, and delete courier -## spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_manage_spool_files',` - gen_require(` - type courier_spool_t; - ') - - manage_files_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## -## Read courier spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_read_spool',` - gen_require(` - type courier_spool_t; - ') - - read_files_pattern($1, courier_spool_t, courier_spool_t) -') - -######################################## -## -## Read and write to courier spool pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`courier_rw_spool_pipes',` - gen_require(` - type courier_spool_t; - ') - - allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; -') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te deleted file mode 100644 index f7e31a239..000000000 --- a/policy/modules/services/courier.te +++ /dev/null @@ -1,148 +0,0 @@ -policy_module(courier, 1.11.1) - -######################################## -# -# Declarations -# - -courier_domain_template(authdaemon) - -type courier_etc_t; -files_config_file(courier_etc_t) - -courier_domain_template(pcp) - -courier_domain_template(pop) - -type courier_spool_t; -files_type(courier_spool_t) - -courier_domain_template(tcpd) - -type courier_var_lib_t; -files_type(courier_var_lib_t) - -type courier_var_run_t; -files_pid_file(courier_var_run_t) - -type courier_exec_t; -mta_agent_executable(courier_exec_t) - -courier_domain_template(sqwebmail) -typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; - -######################################## -# -# Authdaemon local policy -# - -allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; -allow courier_authdaemon_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -can_exec(courier_authdaemon_t, courier_exec_t) - -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; - -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:process sigchld; -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; - -create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) -manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -files_search_spool(courier_authdaemon_t) - -corecmd_search_bin(courier_authdaemon_t) - -# for SSP -dev_read_urand(courier_authdaemon_t) - -files_getattr_tmp_dirs(courier_authdaemon_t) - -auth_domtrans_chk_passwd(courier_authdaemon_t) - -libs_read_lib_files(courier_authdaemon_t) - -miscfiles_read_localization(courier_authdaemon_t) - -# should not be needed! -userdom_search_user_home_dirs(courier_authdaemon_t) - -courier_domtrans_pop(courier_authdaemon_t) - -######################################## -# -# Calendar (PCP) local policy -# - -allow courier_pcp_t self:capability { setuid setgid }; - -dev_read_rand(courier_pcp_t) - -######################################## -# -# POP3/IMAP local policy -# - -allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; -allow courier_pop_t courier_authdaemon_t:process sigchld; - -allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; - -# inherits file handle - should it? -allow courier_pop_t courier_var_lib_t:file { read write }; - -miscfiles_read_localization(courier_pop_t) - -courier_domtrans_authdaemon(courier_pop_t) - -# do the actual work (read the Maildir) -userdom_manage_user_home_content_files(courier_pop_t) -# cjp: the fact that this is different for pop vs imap means that -# there should probably be a courier_pop_t and courier_imap_t -# this should also probably be a separate type too instead of -# the regular home dir -userdom_manage_user_home_content_dirs(courier_pop_t) - -######################################## -# -# TCPd local policy -# - -allow courier_tcpd_t self:capability kill; - -can_exec(courier_tcpd_t, courier_exec_t) - -manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) -manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) -files_search_var_lib(courier_tcpd_t) - -corecmd_search_bin(courier_tcpd_t) - -corenet_tcp_bind_generic_node(courier_tcpd_t) -corenet_tcp_bind_pop_port(courier_tcpd_t) -corenet_sendrecv_pop_server_packets(courier_tcpd_t) - -# for TLS -dev_read_rand(courier_tcpd_t) -dev_read_urand(courier_tcpd_t) - -miscfiles_read_localization(courier_tcpd_t) - -courier_domtrans_pop(courier_tcpd_t) - -######################################## -# -# Webmail local policy -# - -kernel_read_kernel_sysctls(courier_sqwebmail_t) - -optional_policy(` - cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) -') diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc deleted file mode 100644 index 789c8c7d6..000000000 --- a/policy/modules/services/cpucontrol.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0) - -/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) - -/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) - -/var/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) diff --git a/policy/modules/services/cpucontrol.if b/policy/modules/services/cpucontrol.if deleted file mode 100644 index ff6310d4e..000000000 --- a/policy/modules/services/cpucontrol.if +++ /dev/null @@ -1,17 +0,0 @@ -## Services for loading CPU microcode and CPU frequency scaling. - -######################################## -## -## CPUcontrol stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`cpucontrol_stub',` - gen_require(` - type cpucontrol_t; - ') -') diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te deleted file mode 100644 index 13d2f6363..000000000 --- a/policy/modules/services/cpucontrol.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(cpucontrol, 1.3.0) - -######################################## -# -# Declarations -# - -type cpucontrol_t; -type cpucontrol_exec_t; -init_system_domain(cpucontrol_t, cpucontrol_exec_t) - -type cpucontrol_conf_t; -files_type(cpucontrol_conf_t) - -type cpuspeed_t; -type cpuspeed_exec_t; -init_system_domain(cpuspeed_t, cpuspeed_exec_t) - -type cpuspeed_var_run_t; -files_pid_file(cpuspeed_var_run_t) - -######################################## -# -# CPU microcode loader local policy -# - -allow cpucontrol_t self:capability { ipc_lock sys_rawio }; -dontaudit cpucontrol_t self:capability sys_tty_config; -allow cpucontrol_t self:process signal_perms; - -allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; -read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) -read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) - -kernel_list_proc(cpucontrol_t) -kernel_read_proc_symlinks(cpucontrol_t) -kernel_read_kernel_sysctls(cpucontrol_t) - -dev_read_sysfs(cpucontrol_t) -dev_rw_cpu_microcode(cpucontrol_t) - -fs_search_auto_mountpoints(cpucontrol_t) - -term_dontaudit_use_console(cpucontrol_t) - -domain_use_interactive_fds(cpucontrol_t) - -files_list_usr(cpucontrol_t) - -init_use_fds(cpucontrol_t) -init_use_script_ptys(cpucontrol_t) - -logging_send_syslog_msg(cpucontrol_t) - -userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t) - -optional_policy(` - nscd_socket_use(cpucontrol_t) -') - -optional_policy(` - rhgb_use_ptys(cpucontrol_t) -') - -optional_policy(` - seutil_sigchld_newrole(cpucontrol_t) -') - -optional_policy(` - udev_read_db(cpucontrol_t) -') - -######################################## -# -# CPU frequency scaling daemons -# - -dontaudit cpuspeed_t self:capability sys_tty_config; -allow cpuspeed_t self:process { signal_perms setsched }; -allow cpuspeed_t self:unix_dgram_socket create_socket_perms; - -allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms; -files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file) - -kernel_read_system_state(cpuspeed_t) -kernel_read_kernel_sysctls(cpuspeed_t) - -dev_write_sysfs_dirs(cpuspeed_t) -dev_rw_sysfs(cpuspeed_t) - -domain_use_interactive_fds(cpuspeed_t) -# for demand/load-based scaling: -domain_read_all_domains_state(cpuspeed_t) - -files_read_etc_files(cpuspeed_t) -files_read_etc_runtime_files(cpuspeed_t) -files_list_usr(cpuspeed_t) - -fs_search_auto_mountpoints(cpuspeed_t) - -term_dontaudit_use_console(cpuspeed_t) - -init_use_fds(cpuspeed_t) -init_use_script_ptys(cpuspeed_t) - -logging_send_syslog_msg(cpuspeed_t) - -miscfiles_read_localization(cpuspeed_t) - -userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t) - -optional_policy(` - nscd_socket_use(cpuspeed_t) -') - -optional_policy(` - seutil_sigchld_newrole(cpuspeed_t) -') - -optional_policy(` - udev_read_db(cpuspeed_t) -') diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc deleted file mode 100644 index 2eefc08b8..000000000 --- a/policy/modules/services/cron.fc +++ /dev/null @@ -1,47 +0,0 @@ -/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) - -/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) -/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) - -/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) -/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) - -/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) - -/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) - -/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) -#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -/var/spool/cron/[^/]* -- <> - -ifdef(`distro_gentoo',` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <> -') - -ifdef(`distro_suse', ` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') - -/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/cron/crontabs/.* -- <> -#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - -/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/fcron/.* <> -/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if deleted file mode 100644 index 35241edfe..000000000 --- a/policy/modules/services/cron.if +++ /dev/null @@ -1,633 +0,0 @@ -## Periodic execution of scheduled commands. - -####################################### -## -## The common rules for a crontab domain. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`cron_common_crontab_template',` - ############################## - # - # Declarations - # - - type $1_t; - application_domain($1_t, crontab_exec_t) - ubac_constrained($1_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - ############################## - # - # Local policy - # - - # dac_override is to create the file in the directory under /tmp - allow $1_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_t self:process { setsched signal_perms }; - allow $1_t self:fifo_file rw_fifo_file_perms; - - allow $1_t $1_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_t, $1_tmp_t, file) - - # create files in /var/spool/cron - manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) - filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) - files_list_spool($1_t) - - # crontab signals crond by updating the mtime on the spooldir - allow $1_t cron_spool_t:dir setattr; - - kernel_read_system_state($1_t) - - # for the checks used by crontab -u - selinux_dontaudit_search_fs($1_t) - - fs_getattr_xattr_fs($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_dontaudit_search_pids($1_t) - - auth_domtrans_chk_passwd($1_t) - - logging_send_syslog_msg($1_t) - logging_send_audit_msgs($1_t) - - init_dontaudit_write_utmp($1_t) - init_read_utmp($1_t) - - miscfiles_read_localization($1_t) - - seutil_read_config($1_t) - - userdom_manage_user_tmp_dirs($1_t) - userdom_manage_user_tmp_files($1_t) - # Access terminals. - userdom_use_user_terminals($1_t) - # Read user crontabs - userdom_read_user_home_content_files($1_t) - - tunable_policy(`fcron_crond',` - # fcron wants an instant update of a crontab change for the administrator - # also crontab does a security check for crontab -u - dontaudit $1_t crond_t:process signal; - ') - - optional_policy(` - nscd_socket_use($1_t) - ') -') - -######################################## -## -## Role access for cron -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`cron_role',` - gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - ') - - role $1 types { cronjob_t crontab_t }; - - # cronjob shows up in user ps - ps_process_pattern($2, cronjob_t) - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - - # crontab shows up in user ps - ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process signal; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(crontab_t, $2) - #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(cronjob_t) - - allow cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## -## Role access for unconfined cronjobs -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`cron_unconfined_role',` - gen_require(` - type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; - ') - - role $1 types { unconfined_cronjob_t crontab_t }; - - # cronjob shows up in user ps - ps_process_pattern($2, unconfined_cronjob_t) - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - - # crontab shows up in user ps - ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process signal; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(crontab_t, $2) - #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(unconfined_cronjob_t) - - allow unconfined_cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## -## Role access for cron -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`cron_admin_role',` - gen_require(` - type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; - class passwd crontab; - ') - - role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; - - # cronjob shows up in user ps - ps_process_pattern($2, cronjob_t) - - # Manipulate other users crontab. - allow $2 self:passwd crontab; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - - # crontab shows up in user ps - ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process signal; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(admin_crontab_t, $2) - #corecmd_shell_domtrans(admin_crontab_t, $2) - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(admin_cronjob_t) - - allow cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## -## Make the specified program domain accessable -## from the system cron jobs. -## -## -## -## The type of the process to transition to. -## -## -## -## -## The type of the file used as an entrypoint to this domain. -## -## -# -interface(`cron_system_entry',` - gen_require(` - type crond_t, system_cronjob_t; - ') - - domtrans_pattern(system_cronjob_t, $2, $1) - domtrans_pattern(crond_t, $2, $1) - - role system_r types $1; -') - -######################################## -## -## Execute cron in the cron system domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cron_domtrans',` - gen_require(` - type system_cronjob_t, crond_exec_t; - ') - - domtrans_pattern($1, crond_exec_t, system_cronjob_t) -') - -######################################## -## -## Execute crond_exec_t -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_exec',` - gen_require(` - type crond_exec_t; - ') - - can_exec($1, crond_exec_t) -') - -######################################## -## -## Execute crond server in the nscd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cron_initrc_domtrans',` - gen_require(` - type crond_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, crond_initrc_exec_t) -') - -######################################## -## -## Inherit and use a file descriptor -## from the cron daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_use_fds',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to the cron daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_sigchld',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:process sigchld; -') - -######################################## -## -## Read a cron daemon unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_read_pipes',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to write cron daemon unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_write_pipes',` - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:fifo_file write; -') - -######################################## -## -## Read and write a cron daemon unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_pipes',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file { getattr read write }; -') - -######################################## -## -## Read, and write cron daemon TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') - - allow $1 crond_t:tcp_socket { read write }; -') - -######################################## -## -## Dontaudit Read, and write cron daemon TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:tcp_socket { read write }; -') - -######################################## -## -## Search the directory containing user cron tables. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_search_spool',` - gen_require(` - type cron_spool_t; - ') - - files_search_spool($1) - allow $1 cron_spool_t:dir search_dir_perms; -') - -######################################## -## -## Manage pid files used by cron -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_manage_pid_files',` - gen_require(` - type crond_var_run_t; - ') - - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) -') - -######################################## -## -## Execute anacron in the cron system domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cron_anacron_domtrans_system_job',` - gen_require(` - type system_cronjob_t, anacron_exec_t; - ') - - domtrans_pattern($1, anacron_exec_t, system_cronjob_t) -') - -######################################## -## -## Inherit and use a file descriptor -## from system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_use_system_job_fds',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fd use; -') - -######################################## -## -## Write a system cron job unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_write_system_job_pipes',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:file write; -') - -######################################## -## -## Read and write a system cron job unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_system_job_pipes',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Allow read/write unix stream sockets from the system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_rw_system_job_stream_sockets',` - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:unix_stream_socket { read write }; -') - -######################################## -## -## Read temporary files from the system cron jobs. -## -## -## -## Domain allowed access. -## -## -# -interface(`cron_read_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - ') - - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to append temporary -## files from the system cron jobs. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_append_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file append_file_perms; -') - -######################################## -## -## Do not audit attempts to write temporary -## files from the system cron jobs. -## -## -## -## Domain to not audit. -## -## -# -interface(`cron_dontaudit_write_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te deleted file mode 100644 index f22d27ca8..000000000 --- a/policy/modules/services/cron.te +++ /dev/null @@ -1,628 +0,0 @@ -policy_module(cron, 2.3.0) - -gen_require(` - class passwd rootok; -') - -######################################## -# -# Declarations -# - -## -##

-## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -##

-## -gen_tunable(cron_can_relabel, false) - -## -##

-## Enable extra rules in the cron domain -## to support fcron. -##

-## -gen_tunable(fcron_crond, false) - -attribute cron_spool_type; - -type anacron_exec_t; -application_executable_file(anacron_exec_t) - -type cron_spool_t; -files_type(cron_spool_t) - -# var/lib files -type cron_var_lib_t; -files_type(cron_var_lib_t) - -type cron_var_run_t; -files_type(cron_var_run_t) - -# var/log files -type cron_log_t; -logging_log_file(cron_log_t) - -type cronjob_t; -typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; -typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; -domain_type(cronjob_t) -domain_cron_exemption_target(cronjob_t) -corecmd_shell_entry_type(cronjob_t) -ubac_constrained(cronjob_t) - -type crond_t; -type crond_exec_t; -init_daemon_domain(crond_t, crond_exec_t) -domain_interactive_fd(crond_t) -domain_cron_exemption_source(crond_t) - -type crond_initrc_exec_t; -init_script_file(crond_initrc_exec_t) - -type crond_tmp_t; -files_tmp_file(crond_tmp_t) - -type crond_var_run_t; -files_pid_file(crond_var_run_t) - -type crontab_exec_t; -application_executable_file(crontab_exec_t) - -cron_common_crontab_template(admin_crontab) -typealias admin_crontab_t alias sysadm_crontab_t; -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; - -cron_common_crontab_template(crontab) -typealias crontab_t alias { user_crontab_t staff_crontab_t }; -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; - -type system_cron_spool_t, cron_spool_type; -files_type(system_cron_spool_t) - -type system_cronjob_t alias system_crond_t; -init_daemon_domain(system_cronjob_t, anacron_exec_t) -corecmd_shell_entry_type(system_cronjob_t) -role system_r types system_cronjob_t; - -type system_cronjob_lock_t alias system_crond_lock_t; -files_lock_file(system_cronjob_lock_t) - -type system_cronjob_tmp_t alias system_crond_tmp_t; -files_tmp_file(system_cronjob_tmp_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) -') - -type unconfined_cronjob_t; -domain_type(unconfined_cronjob_t) -domain_cron_exemption_target(unconfined_cronjob_t) - -# Type of user crontabs once moved to cron spool. -type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; -files_type(user_cron_spool_t) -ubac_constrained(user_cron_spool_t) - -######################################## -# -# Admin crontab local policy -# - -# Allow our crontab domain to unlink a user cron spool file. -allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; - -# Manipulate other users crontab. -selinux_get_fs_mount(admin_crontab_t) -selinux_validate_context(admin_crontab_t) -selinux_compute_access_vector(admin_crontab_t) -selinux_compute_create_context(admin_crontab_t) -selinux_compute_relabel_context(admin_crontab_t) -selinux_compute_user_contexts(admin_crontab_t) - -tunable_policy(`fcron_crond', ` - # fcron wants an instant update of a crontab change for the administrator - # also crontab does a security check for crontab -u - allow admin_crontab_t self:process setfscreate; -') - -######################################## -# -# Cron daemon local policy -# - -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow crond_t self:process { setexec setfscreate }; -allow crond_t self:fd use; -allow crond_t self:fifo_file rw_fifo_file_perms; -allow crond_t self:unix_dgram_socket create_socket_perms; -allow crond_t self:unix_stream_socket create_stream_socket_perms; -allow crond_t self:unix_dgram_socket sendto; -allow crond_t self:unix_stream_socket connectto; -allow crond_t self:shm create_shm_perms; -allow crond_t self:sem create_sem_perms; -allow crond_t self:msgq create_msgq_perms; -allow crond_t self:msg { send receive }; -allow crond_t self:key { search write link }; - -manage_files_pattern(crond_t, cron_log_t, cron_log_t) -logging_log_filetrans(crond_t, cron_log_t, file) - -manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -files_pid_filetrans(crond_t, crond_var_run_t, file) - -manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - -manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) -manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) -files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) - -list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) -read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - -kernel_read_kernel_sysctls(crond_t) -kernel_read_fs_sysctls(crond_t) -kernel_search_key(crond_t) - -dev_read_sysfs(crond_t) -selinux_get_fs_mount(crond_t) -selinux_validate_context(crond_t) -selinux_compute_access_vector(crond_t) -selinux_compute_create_context(crond_t) -selinux_compute_relabel_context(crond_t) -selinux_compute_user_contexts(crond_t) - -dev_read_urand(crond_t) - -fs_getattr_all_fs(crond_t) -fs_search_auto_mountpoints(crond_t) -fs_list_inotifyfs(crond_t) - -# need auth_chkpwd to check for locked accounts. -auth_domtrans_chk_passwd(crond_t) - -corecmd_exec_shell(crond_t) -corecmd_list_bin(crond_t) -corecmd_read_bin_symlinks(crond_t) - -domain_use_interactive_fds(crond_t) - -files_read_usr_files(crond_t) -files_read_etc_runtime_files(crond_t) -files_read_etc_files(crond_t) -files_read_generic_spool(crond_t) -files_list_usr(crond_t) -# Read from /var/spool/cron. -files_search_var_lib(crond_t) -files_search_default(crond_t) - -init_rw_utmp(crond_t) -init_spec_domtrans_script(crond_t) - -auth_use_nsswitch(crond_t) - -logging_send_syslog_msg(crond_t) -logging_set_loginuid(crond_t) - -seutil_read_config(crond_t) -seutil_read_default_contexts(crond_t) -seutil_sigchld_newrole(crond_t) - -miscfiles_read_localization(crond_t) - -userdom_use_unpriv_users_fds(crond_t) -# Not sure why this is needed -userdom_list_user_home_dirs(crond_t) - -mta_send_mail(crond_t) - -ifdef(`distro_debian',` - # pam_limits is used - allow crond_t self:process setrlimit; - - optional_policy(` - # Debian logcheck has the home dir set to its cache - logwatch_search_cache_dir(crond_t) - ') -') - -ifdef(`distro_redhat', ` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files - # via redirection of standard out. - optional_policy(` - rpm_manage_log(crond_t) - ') -') - -tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all(crond_t) -') - -tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; -') - -optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) -') - -optional_policy(` - amanda_search_var_lib(crond_t) -') - -optional_policy(` - amavis_search_lib(crond_t) -') - -optional_policy(` - hal_dbus_chat(crond_t) -') - -optional_policy(` - # cjp: why? - munin_search_lib(crond_t) -') - -optional_policy(` - rpc_search_nfs_state_data(crond_t) -') - -optional_policy(` - # Commonly used from postinst scripts - rpm_read_pipes(crond_t) -') - -optional_policy(` - # allow crond to find /usr/lib/postgresql/bin/do.maintenance - postgresql_search_db(crond_t) -') - -optional_policy(` - udev_read_db(crond_t) -') - -######################################## -# -# System cron process domain -# - -allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -allow system_cronjob_t self:process { signal_perms getsched setsched }; -allow system_cronjob_t self:fifo_file rw_fifo_file_perms; -allow system_cronjob_t self:passwd rootok; - -# This is to handle creation of files in /var/log directory. -# Used currently by rpm script log files -allow system_cronjob_t cron_log_t:file manage_file_perms; -logging_log_filetrans(system_cronjob_t, cron_log_t, file) - -# This is to handle /var/lib/misc directory. Used currently -# by prelink var/lib files for cron -allow system_cronjob_t cron_var_lib_t:file manage_file_perms; -files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - -allow system_cronjob_t system_cron_spool_t:file read_file_perms; -# The entrypoint interface is not used as this is not -# a regular entrypoint. Since crontab files are -# not directly executed, crond must ensure that -# the crontab file has a type that is appropriate -# for the domain of the user cron job. It -# performs an entrypoint permission check -# for this purpose. -allow system_cronjob_t system_cron_spool_t:file entrypoint; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via setexeccon. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -allow crond_t system_cronjob_t:process transition; -dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; -allow crond_t system_cronjob_t:fd use; -allow system_cronjob_t crond_t:fd use; -allow system_cronjob_t crond_t:fifo_file rw_file_perms; -allow system_cronjob_t crond_t:process sigchld; - -# Write /var/lock/makewhatis.lock. -allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) - -# write temporary files -manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) -manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) -filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - -# Read from /var/spool/cron. -allow system_cronjob_t cron_spool_t:dir list_dir_perms; -allow system_cronjob_t cron_spool_t:file read_file_perms; - -kernel_read_kernel_sysctls(system_cronjob_t) -kernel_read_system_state(system_cronjob_t) -kernel_read_software_raid_state(system_cronjob_t) - -# ps does not need to access /boot when run from cron -files_dontaudit_search_boot(system_cronjob_t) - -corecmd_exec_all_executables(system_cronjob_t) - -corenet_all_recvfrom_unlabeled(system_cronjob_t) -corenet_all_recvfrom_netlabel(system_cronjob_t) -corenet_tcp_sendrecv_generic_if(system_cronjob_t) -corenet_udp_sendrecv_generic_if(system_cronjob_t) -corenet_tcp_sendrecv_generic_node(system_cronjob_t) -corenet_udp_sendrecv_generic_node(system_cronjob_t) -corenet_tcp_sendrecv_all_ports(system_cronjob_t) -corenet_udp_sendrecv_all_ports(system_cronjob_t) - -dev_getattr_all_blk_files(system_cronjob_t) -dev_getattr_all_chr_files(system_cronjob_t) -dev_read_urand(system_cronjob_t) - -fs_getattr_all_fs(system_cronjob_t) -fs_getattr_all_files(system_cronjob_t) -fs_getattr_all_symlinks(system_cronjob_t) -fs_getattr_all_pipes(system_cronjob_t) -fs_getattr_all_sockets(system_cronjob_t) - -# quiet other ps operations -domain_dontaudit_read_all_domains_state(system_cronjob_t) - -files_exec_etc_files(system_cronjob_t) -files_read_etc_files(system_cronjob_t) -files_read_etc_runtime_files(system_cronjob_t) -files_list_all(system_cronjob_t) -files_getattr_all_dirs(system_cronjob_t) -files_getattr_all_files(system_cronjob_t) -files_getattr_all_symlinks(system_cronjob_t) -files_getattr_all_pipes(system_cronjob_t) -files_getattr_all_sockets(system_cronjob_t) -files_read_usr_files(system_cronjob_t) -files_read_var_files(system_cronjob_t) -# for nscd: -files_dontaudit_search_pids(system_cronjob_t) -# Access other spool directories like -# /var/spool/anacron and /var/spool/slrnpull. -files_manage_generic_spool(system_cronjob_t) - -init_use_script_fds(system_cronjob_t) -init_read_utmp(system_cronjob_t) -init_dontaudit_rw_utmp(system_cronjob_t) -# prelink tells init to restart it self, we either need to allow or dontaudit -init_telinit(system_cronjob_t) -init_domtrans_script(system_cronjob_t) - -auth_use_nsswitch(system_cronjob_t) - -libs_exec_lib_files(system_cronjob_t) -libs_exec_ld_so(system_cronjob_t) - -logging_read_generic_logs(system_cronjob_t) -logging_send_audit_msgs(system_cronjob_t) -logging_send_syslog_msg(system_cronjob_t) - -miscfiles_read_localization(system_cronjob_t) -miscfiles_manage_man_pages(system_cronjob_t) - -seutil_read_config(system_cronjob_t) - -ifdef(`distro_redhat', ` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files - # via redirection of standard out. - optional_policy(` - rpm_manage_log(system_cronjob_t) - ') -') - -tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_cronjob_t) -',` - selinux_get_fs_mount(system_cronjob_t) - selinux_validate_context(system_cronjob_t) - selinux_compute_access_vector(system_cronjob_t) - selinux_compute_create_context(system_cronjob_t) - selinux_compute_relabel_context(system_cronjob_t) - selinux_compute_user_contexts(system_cronjob_t) - seutil_read_file_contexts(system_cronjob_t) -') - -optional_policy(` - # Needed for certwatch - apache_exec_modules(system_cronjob_t) - apache_read_config(system_cronjob_t) - apache_read_log(system_cronjob_t) - apache_read_sys_content(system_cronjob_t) -') - -optional_policy(` - cyrus_manage_data(system_cronjob_t) -') - -optional_policy(` - ftp_read_log(system_cronjob_t) -') - -optional_policy(` - inn_manage_log(system_cronjob_t) - inn_manage_pid(system_cronjob_t) - inn_read_config(system_cronjob_t) -') - -optional_policy(` - lpd_list_spool(system_cronjob_t) -') - -optional_policy(` - mrtg_append_create_logs(system_cronjob_t) -') - -optional_policy(` - mta_send_mail(system_cronjob_t) -') - -optional_policy(` - mysql_read_config(system_cronjob_t) -') - -optional_policy(` - postfix_read_config(system_cronjob_t) -') - -optional_policy(` - prelink_delete_cache(system_cronjob_t) - prelink_manage_lib(system_cronjob_t) - prelink_manage_log(system_cronjob_t) - prelink_read_cache(system_cronjob_t) - prelink_relabelfrom_lib(system_cronjob_t) -') - -optional_policy(` - samba_read_config(system_cronjob_t) - samba_read_log(system_cronjob_t) - #samba_read_secrets(system_cronjob_t) -') - -optional_policy(` - slocate_create_append_log(system_cronjob_t) -') - -optional_policy(` - spamassassin_manage_lib_files(system_cronjob_t) -') - -optional_policy(` - sysstat_manage_log(system_cronjob_t) -') - -optional_policy(` - unconfined_domain(system_cronjob_t) - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) -') - -######################################## -# -# User cronjobs local policy -# - -allow cronjob_t self:process { signal_perms setsched }; -allow cronjob_t self:fifo_file rw_fifo_file_perms; -allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -allow cronjob_t self:unix_dgram_socket create_socket_perms; - -# The entrypoint interface is not used as this is not -# a regular entrypoint. Since crontab files are -# not directly executed, crond must ensure that -# the crontab file has a type that is appropriate -# for the domain of the user cron job. It -# performs an entrypoint permission check -# for this purpose. -allow cronjob_t user_cron_spool_t:file entrypoint; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via setexeccon. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -allow crond_t cronjob_t:process transition; -dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; -allow crond_t cronjob_t:fd use; -allow cronjob_t crond_t:fd use; -allow cronjob_t crond_t:fifo_file rw_file_perms; -allow cronjob_t crond_t:process sigchld; - -kernel_read_system_state(cronjob_t) -kernel_read_kernel_sysctls(cronjob_t) - -# ps does not need to access /boot when run from cron -files_dontaudit_search_boot(cronjob_t) - -corenet_all_recvfrom_unlabeled(cronjob_t) -corenet_all_recvfrom_netlabel(cronjob_t) -corenet_tcp_sendrecv_generic_if(cronjob_t) -corenet_udp_sendrecv_generic_if(cronjob_t) -corenet_tcp_sendrecv_generic_node(cronjob_t) -corenet_udp_sendrecv_generic_node(cronjob_t) -corenet_tcp_sendrecv_all_ports(cronjob_t) -corenet_udp_sendrecv_all_ports(cronjob_t) -corenet_tcp_connect_all_ports(cronjob_t) -corenet_sendrecv_all_client_packets(cronjob_t) - -dev_read_urand(cronjob_t) - -fs_getattr_all_fs(cronjob_t) - -corecmd_exec_all_executables(cronjob_t) - -# quiet other ps operations -domain_dontaudit_read_all_domains_state(cronjob_t) -domain_dontaudit_getattr_all_domains(cronjob_t) - -files_read_usr_files(cronjob_t) -files_exec_etc_files(cronjob_t) -# for nscd: -files_dontaudit_search_pids(cronjob_t) - -libs_exec_lib_files(cronjob_t) -libs_exec_ld_so(cronjob_t) - -files_read_etc_runtime_files(cronjob_t) -files_read_var_files(cronjob_t) -files_search_spool(cronjob_t) - -logging_search_logs(cronjob_t) - -seutil_read_config(cronjob_t) - -miscfiles_read_localization(cronjob_t) - -userdom_manage_user_tmp_files(cronjob_t) -userdom_manage_user_tmp_symlinks(cronjob_t) -userdom_manage_user_tmp_pipes(cronjob_t) -userdom_manage_user_tmp_sockets(cronjob_t) -# Run scripts in user home directory and access shared libs. -userdom_exec_user_home_content_files(cronjob_t) -# Access user files and dirs. -userdom_manage_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_symlinks(cronjob_t) -userdom_manage_user_home_content_pipes(cronjob_t) -userdom_manage_user_home_content_sockets(cronjob_t) -#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) - -list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) - -tunable_policy(`fcron_crond', ` - allow crond_t user_cron_spool_t:file manage_file_perms; -') - -# need a per-role version of this: -#optional_policy(` -# mono_domtrans(cronjob_t) -#') - -optional_policy(` - nis_use_ypbind(cronjob_t) -') - -######################################## -# -# Unconfined cronjobs local policy -# - -optional_policy(` - # Permit a transition from the crond_t domain to this domain. - # The transition is requested explicitly by the modified crond - # via setexeccon. There is no way to set up an automatic - # transition, since crontabs are configuration files, not executables. - allow crond_t unconfined_cronjob_t:process transition; - dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; - allow crond_t unconfined_cronjob_t:fd use; - - unconfined_domain(unconfined_cronjob_t) -') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc deleted file mode 100644 index 1b492eda8..000000000 --- a/policy/modules/services/cups.fc +++ /dev/null @@ -1,73 +0,0 @@ - -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) - -/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - -/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - -/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - -/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) - -# keep as separate lines to ensure proper sorting -/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) - -/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - -/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) - -/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) - -/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) - -/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) - -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) - -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) -/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if deleted file mode 100644 index 305ddf460..000000000 --- a/policy/modules/services/cups.if +++ /dev/null @@ -1,358 +0,0 @@ -## Common UNIX printing system - -######################################## -## -## Setup cups to transtion to the cups backend domain -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_backend',` - gen_require(` - type cupsd_t; - ') - - domain_type($1) - domain_entry_file($1, $2) - role system_r types $1; - - domtrans_pattern(cupsd_t, $2, $1) - allow cupsd_t $1:process signal; - allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; - - cups_read_config($1) - cups_append_log($1) -') - -######################################## -## -## Execute cups in the cups domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cups_domtrans',` - gen_require(` - type cupsd_t, cupsd_exec_t; - ') - - domtrans_pattern($1, cupsd_exec_t, cupsd_t) -') - -######################################## -## -## Connect to cupsd over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_stream_connect',` - gen_require(` - type cupsd_t, cupsd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) -') - -######################################## -## -## Connect to cups over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Send and receive messages from -## cups over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_dbus_chat',` - gen_require(` - type cupsd_t; - class dbus send_msg; - ') - - allow $1 cupsd_t:dbus send_msg; - allow cupsd_t $1:dbus send_msg; -') - -######################################## -## -## Read cups PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_read_pid_files',` - gen_require(` - type cupsd_var_run_t; - ') - - files_search_pids($1) - allow $1 cupsd_var_run_t:file read_file_perms; -') - -######################################## -## -## Execute cups_config in the cups_config domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cups_domtrans_config',` - gen_require(` - type cupsd_config_t, cupsd_config_exec_t; - ') - - domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) -') - -######################################## -## -## Send generic signals to the cups -## configuration daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_signal_config',` - gen_require(` - type cupsd_config_t; - ') - - allow $1 cupsd_config_t:process signal; -') - -######################################## -## -## Send and receive messages from -## cupsd_config over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_dbus_chat_config',` - gen_require(` - type cupsd_config_t; - class dbus send_msg; - ') - - allow $1 cupsd_config_t:dbus send_msg; - allow cupsd_config_t $1:dbus send_msg; -') - -######################################## -## -## Read cups configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`cups_read_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) - read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) -') - -######################################## -## -## Read cups-writable configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`cups_read_rw_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) -') - -######################################## -## -## Read cups log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`cups_read_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file read_file_perms; -') - -######################################## -## -## Append cups log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_append_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, cupsd_log_t, cupsd_log_t) -') - -######################################## -## -## Write cups log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_write_log',` - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file write_file_perms; -') - -######################################## -## -## Connect to ptal over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_stream_connect_ptal',` - gen_require(` - type ptal_t, ptal_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) -') - -######################################## -## -## All of the rules required to administrate -## an cups environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the cups domain. -## -## -## -# -interface(`cups_admin',` - gen_require(` - type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t; - type ptal_var_run_t, hplip_var_run_t; - type cupsd_initrc_exec_t; - ') - - allow $1 cupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cupsd_t) - - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, cupsd_etc_t) - files_list_etc($1) - - admin_pattern($1, cupsd_config_var_run_t) - - admin_pattern($1, cupsd_log_t) - logging_list_logs($1) - - admin_pattern($1, cupsd_lpd_tmp_t) - - admin_pattern($1, cupsd_lpd_var_run_t) - - admin_pattern($1, cupsd_spool_t) - files_list_spool($1) - - admin_pattern($1, cupsd_tmp_t) - files_list_tmp($1) - - admin_pattern($1, cupsd_var_run_t) - files_list_pids($1) - - admin_pattern($1, hplip_var_run_t) - - admin_pattern($1, ptal_etc_t) - - admin_pattern($1, ptal_var_run_t) -') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te deleted file mode 100644 index 0f28095a2..000000000 --- a/policy/modules/services/cups.te +++ /dev/null @@ -1,781 +0,0 @@ -policy_module(cups, 1.14.0) - -######################################## -# -# Declarations -# - -type cupsd_config_t; -type cupsd_config_exec_t; -init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) - -type cupsd_config_var_run_t; -files_pid_file(cupsd_config_var_run_t) - -type cupsd_t; -type cupsd_exec_t; -init_daemon_domain(cupsd_t, cupsd_exec_t) - -type cupsd_etc_t; -files_config_file(cupsd_etc_t) - -type cupsd_initrc_exec_t; -init_script_file(cupsd_initrc_exec_t) - -type cupsd_interface_t; -files_type(cupsd_interface_t) - -type cupsd_rw_etc_t; -files_config_file(cupsd_rw_etc_t) - -type cupsd_lock_t; -files_lock_file(cupsd_lock_t) - -type cupsd_log_t; -logging_log_file(cupsd_log_t) - -type cupsd_lpd_t; -type cupsd_lpd_exec_t; -domain_type(cupsd_lpd_t) -domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) -role system_r types cupsd_lpd_t; - -type cupsd_lpd_tmp_t; -files_tmp_file(cupsd_lpd_tmp_t) - -type cupsd_lpd_var_run_t; -files_pid_file(cupsd_lpd_var_run_t) - -type cups_pdf_t; -type cups_pdf_exec_t; -cups_backend(cups_pdf_t, cups_pdf_exec_t) - -type cups_pdf_tmp_t; -files_tmp_file(cups_pdf_tmp_t) - -type cupsd_tmp_t; -files_tmp_file(cupsd_tmp_t) - -type cupsd_var_run_t; -files_pid_file(cupsd_var_run_t) -mls_trusted_object(cupsd_var_run_t) - -type hplip_t; -type hplip_exec_t; -init_daemon_domain(hplip_t, hplip_exec_t) -# For CUPS to run as a backend -cups_backend(hplip_t, hplip_exec_t) - -type hplip_etc_t; -files_config_file(hplip_etc_t) - -type hplip_tmp_t; -files_tmp_file(hplip_tmp_t) - -type hplip_var_lib_t; -files_type(hplip_var_lib_t) - -type hplip_var_run_t; -files_pid_file(hplip_var_run_t) - -type ptal_t; -type ptal_exec_t; -init_daemon_domain(ptal_t, ptal_exec_t) - -type ptal_etc_t; -files_config_file(ptal_etc_t) - -type ptal_var_run_t; -files_pid_file(ptal_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) -') - -######################################## -# -# Cups local policy -# - -# /usr/lib/cups/backend/serial needs sys_admin(?!) -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; -allow cupsd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow cupsd_t self:unix_dgram_socket create_socket_perms; -allow cupsd_t self:netlink_selinux_socket create_socket_perms; -allow cupsd_t self:shm create_shm_perms; -allow cupsd_t self:sem create_sem_perms; -allow cupsd_t self:tcp_socket create_stream_socket_perms; -allow cupsd_t self:udp_socket create_socket_perms; -allow cupsd_t self:appletalk_socket create_socket_perms; -# generic socket here until appletalk socket is available in kernels -allow cupsd_t self:socket create_socket_perms; - -allow cupsd_t cupsd_etc_t:{ dir file } setattr; -read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) -read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) -files_search_etc(cupsd_t) - -manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) - -manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) - -# allow cups to execute its backend scripts -can_exec(cupsd_t, cupsd_exec_t) -allow cupsd_t cupsd_exec_t:dir search_dir_perms; -allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; - -allow cupsd_t cupsd_lock_t:file manage_file_perms; -files_lock_filetrans(cupsd_t, cupsd_lock_t, file) - -manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -allow cupsd_t cupsd_log_t:dir setattr; -logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) - -manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) - -allow cupsd_t cupsd_var_run_t:dir setattr; -manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file }) - -allow cupsd_t hplip_t:process { signal sigkill }; - -read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - -allow cupsd_t hplip_var_run_t:file read_file_perms; - -stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t : sock_file setattr; - -kernel_read_system_state(cupsd_t) -kernel_read_network_state(cupsd_t) -kernel_read_all_sysctls(cupsd_t) -kernel_request_load_module(cupsd_t) - -corenet_all_recvfrom_unlabeled(cupsd_t) -corenet_all_recvfrom_netlabel(cupsd_t) -corenet_tcp_sendrecv_generic_if(cupsd_t) -corenet_udp_sendrecv_generic_if(cupsd_t) -corenet_raw_sendrecv_generic_if(cupsd_t) -corenet_tcp_sendrecv_generic_node(cupsd_t) -corenet_udp_sendrecv_generic_node(cupsd_t) -corenet_raw_sendrecv_generic_node(cupsd_t) -corenet_tcp_sendrecv_all_ports(cupsd_t) -corenet_udp_sendrecv_all_ports(cupsd_t) -corenet_tcp_bind_generic_node(cupsd_t) -corenet_udp_bind_generic_node(cupsd_t) -corenet_tcp_bind_ipp_port(cupsd_t) -corenet_udp_bind_ipp_port(cupsd_t) -corenet_udp_bind_howl_port(cupsd_t) -corenet_tcp_bind_reserved_port(cupsd_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) -corenet_tcp_bind_all_rpc_ports(cupsd_t) -corenet_tcp_connect_all_ports(cupsd_t) -corenet_sendrecv_hplip_client_packets(cupsd_t) -corenet_sendrecv_ipp_client_packets(cupsd_t) -corenet_sendrecv_ipp_server_packets(cupsd_t) - -dev_rw_printer(cupsd_t) -dev_read_urand(cupsd_t) -dev_read_sysfs(cupsd_t) -dev_rw_input_dev(cupsd_t) #447878 -dev_rw_generic_usb_dev(cupsd_t) -dev_rw_usbfs(cupsd_t) -dev_getattr_printer_dev(cupsd_t) - -domain_read_all_domains_state(cupsd_t) - -fs_getattr_all_fs(cupsd_t) -fs_search_auto_mountpoints(cupsd_t) -fs_search_fusefs(cupsd_t) -fs_read_anon_inodefs_files(cupsd_t) - -mls_file_downgrade(cupsd_t) -mls_file_write_all_levels(cupsd_t) -mls_file_read_all_levels(cupsd_t) -mls_rangetrans_target(cupsd_t) -mls_socket_write_all_levels(cupsd_t) -mls_fd_use_all_levels(cupsd_t) - -term_use_unallocated_ttys(cupsd_t) -term_search_ptys(cupsd_t) - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -corecmd_exec_shell(cupsd_t) -corecmd_exec_bin(cupsd_t) - -domain_use_interactive_fds(cupsd_t) - -files_list_spool(cupsd_t) -files_read_etc_files(cupsd_t) -files_read_etc_runtime_files(cupsd_t) -# read python modules -files_read_usr_files(cupsd_t) -# for /var/lib/defoma -files_read_var_lib_files(cupsd_t) -files_list_world_readable(cupsd_t) -files_read_world_readable_files(cupsd_t) -files_read_world_readable_symlinks(cupsd_t) -# Satisfy readahead -files_read_var_files(cupsd_t) -files_read_var_symlinks(cupsd_t) -# for /etc/printcap -files_dontaudit_write_etc_files(cupsd_t) -# smbspool seems to be iterating through all existing tmp files. -# redhat bug #214953 -# cjp: this might be a broken behavior -files_dontaudit_getattr_all_tmp_files(cupsd_t) - -selinux_compute_access_vector(cupsd_t) -selinux_validate_context(cupsd_t) - -init_exec_script_files(cupsd_t) -init_read_utmp(cupsd_t) - -auth_domtrans_chk_passwd(cupsd_t) -auth_dontaudit_read_pam_pid(cupsd_t) -auth_rw_faillog(cupsd_t) -auth_use_nsswitch(cupsd_t) - -# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -libs_read_lib_files(cupsd_t) -libs_exec_lib_files(cupsd_t) - -logging_send_audit_msgs(cupsd_t) -logging_send_syslog_msg(cupsd_t) - -miscfiles_read_localization(cupsd_t) -# invoking ghostscript needs to read fonts -miscfiles_read_fonts(cupsd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_t) - -seutil_read_config(cupsd_t) -sysnet_exec_ifconfig(cupsd_t) - -files_dontaudit_list_home(cupsd_t) -userdom_dontaudit_use_unpriv_user_fds(cupsd_t) -userdom_dontaudit_search_user_home_content(cupsd_t) - -# Write to /var/spool/cups. -lpd_manage_spool(cupsd_t) -lpd_read_config(cupsd_t) -lpd_exec_lpr(cupsd_t) -lpd_relabel_spool(cupsd_t) - -optional_policy(` - apm_domtrans_client(cupsd_t) -') - -optional_policy(` - cron_system_entry(cupsd_t, cupsd_exec_t) -') - -optional_policy(` - dbus_system_bus_client(cupsd_t) - - userdom_dbus_send_all_users(cupsd_t) - - optional_policy(` - avahi_dbus_chat(cupsd_t) - ') - - optional_policy(` - hal_dbus_chat(cupsd_t) - ') - - optional_policy(` - unconfined_dbus_chat(cupsd_t) - ') -') - -optional_policy(` - hostname_exec(cupsd_t) -') - -optional_policy(` - inetd_core_service_domain(cupsd_t, cupsd_exec_t) -') - -optional_policy(` - logrotate_domtrans(cupsd_t) -') - -optional_policy(` - mta_send_mail(cupsd_t) -') - -optional_policy(` - # cups execs smbtool which reads samba_etc_t files - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) -') - -optional_policy(` - seutil_sigchld_newrole(cupsd_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(cupsd_t) -') - -optional_policy(` - udev_read_db(cupsd_t) -') - -######################################## -# -# Cups configuration daemon local policy -# - -allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; -dontaudit cupsd_config_t self:capability sys_tty_config; -allow cupsd_config_t self:process { getsched signal_perms }; -allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -allow cupsd_config_t self:unix_stream_socket create_socket_perms; -allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -allow cupsd_config_t self:tcp_socket create_stream_socket_perms; - -allow cupsd_config_t cupsd_t:process signal; -ps_process_pattern(cupsd_config_t, cupsd_t) - -manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) -manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) -filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) - -manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file) - -can_exec(cupsd_config_t, cupsd_config_exec_t) - -allow cupsd_config_t cupsd_log_t:file rw_file_perms; - -manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) - -allow cupsd_config_t cupsd_var_run_t:file read_file_perms; - -manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) - -domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) - -read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) - -kernel_read_system_state(cupsd_config_t) -kernel_read_all_sysctls(cupsd_config_t) - -corenet_all_recvfrom_unlabeled(cupsd_config_t) -corenet_all_recvfrom_netlabel(cupsd_config_t) -corenet_tcp_sendrecv_generic_if(cupsd_config_t) -corenet_tcp_sendrecv_generic_node(cupsd_config_t) -corenet_tcp_sendrecv_all_ports(cupsd_config_t) -corenet_tcp_connect_all_ports(cupsd_config_t) -corenet_sendrecv_all_client_packets(cupsd_config_t) - -dev_read_sysfs(cupsd_config_t) -dev_read_urand(cupsd_config_t) -dev_read_rand(cupsd_config_t) -dev_rw_generic_usb_dev(cupsd_config_t) - -files_search_all_mountpoints(cupsd_config_t) - -fs_getattr_all_fs(cupsd_config_t) -fs_search_auto_mountpoints(cupsd_config_t) - -corecmd_exec_bin(cupsd_config_t) -corecmd_exec_shell(cupsd_config_t) - -domain_use_interactive_fds(cupsd_config_t) -# killall causes the following -domain_dontaudit_search_all_domains_state(cupsd_config_t) - -files_read_usr_files(cupsd_config_t) -files_read_etc_files(cupsd_config_t) -files_read_etc_runtime_files(cupsd_config_t) -files_read_var_symlinks(cupsd_config_t) - -# Alternatives asks for this -init_getattr_all_script_files(cupsd_config_t) - -auth_use_nsswitch(cupsd_config_t) - -logging_send_syslog_msg(cupsd_config_t) - -miscfiles_read_localization(cupsd_config_t) -miscfiles_read_hwdata(cupsd_config_t) - -seutil_dontaudit_search_config(cupsd_config_t) - -userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) -userdom_dontaudit_search_user_home_dirs(cupsd_config_t) - -cups_stream_connect(cupsd_config_t) - -lpd_read_config(cupsd_config_t) - -ifdef(`distro_redhat',` - optional_policy(` - rpm_read_db(cupsd_config_t) - ') -') - -optional_policy(` - term_use_generic_ptys(cupsd_config_t) -') - -optional_policy(` - cron_system_entry(cupsd_config_t, cupsd_config_exec_t) -') - -optional_policy(` - dbus_system_domain(cupsd_config_t, cupsd_config_exec_t) - - optional_policy(` - hal_dbus_chat(cupsd_config_t) - ') -') - -optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) - hal_dontaudit_use_fds(hplip_t) -') - -optional_policy(` - hostname_exec(cupsd_config_t) -') - -optional_policy(` - logrotate_use_fds(cupsd_config_t) -') - -optional_policy(` - policykit_dbus_chat(cupsd_config_t) - userdom_read_all_users_state(cupsd_config_t) -') - -optional_policy(` - rpm_read_db(cupsd_config_t) -') - -optional_policy(` - seutil_sigchld_newrole(cupsd_config_t) -') - -optional_policy(` - udev_read_db(cupsd_config_t) -') - -optional_policy(` - unconfined_stream_connect(cupsd_config_t) -') - -######################################## -# -# Cups lpd support -# - -allow cupsd_lpd_t self:process signal_perms; -allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; -allow cupsd_lpd_t self:udp_socket create_socket_perms; - -# for identd -# cjp: this should probably only be inetd_child rules? -allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow cupsd_lpd_t self:capability { setuid setgid }; -files_search_home(cupsd_lpd_t) -optional_policy(` - kerberos_use(cupsd_lpd_t) -') -#end for identd - -allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms; -read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) -read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) - -allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; -read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) -read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) - -manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) -manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) -files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) - -manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) -files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) - -kernel_read_kernel_sysctls(cupsd_lpd_t) -kernel_read_system_state(cupsd_lpd_t) -kernel_read_network_state(cupsd_lpd_t) - -corenet_all_recvfrom_unlabeled(cupsd_lpd_t) -corenet_all_recvfrom_netlabel(cupsd_lpd_t) -corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) -corenet_udp_sendrecv_generic_if(cupsd_lpd_t) -corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) -corenet_udp_sendrecv_generic_node(cupsd_lpd_t) -corenet_tcp_sendrecv_all_ports(cupsd_lpd_t) -corenet_udp_sendrecv_all_ports(cupsd_lpd_t) -corenet_tcp_bind_generic_node(cupsd_lpd_t) -corenet_udp_bind_generic_node(cupsd_lpd_t) -corenet_tcp_connect_ipp_port(cupsd_lpd_t) - -dev_read_urand(cupsd_lpd_t) -dev_read_rand(cupsd_lpd_t) - -fs_getattr_xattr_fs(cupsd_lpd_t) - -files_read_etc_files(cupsd_lpd_t) - -auth_use_nsswitch(cupsd_lpd_t) - -logging_send_syslog_msg(cupsd_lpd_t) - -miscfiles_read_localization(cupsd_lpd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) - -cups_stream_connect(cupsd_lpd_t) - -optional_policy(` - inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) -') - -######################################## -# -# cups_pdf local policy -# - -allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; -allow cups_pdf_t self:fifo_file rw_file_perms; -allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) - -manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) - -fs_rw_anon_inodefs_files(cups_pdf_t) - -kernel_read_system_state(cups_pdf_t) - -files_read_etc_files(cups_pdf_t) -files_read_usr_files(cups_pdf_t) - -corecmd_exec_shell(cups_pdf_t) -corecmd_exec_bin(cups_pdf_t) - -auth_use_nsswitch(cups_pdf_t) - -miscfiles_read_localization(cups_pdf_t) -miscfiles_read_fonts(cups_pdf_t) - -userdom_home_filetrans_user_home_dir(cups_pdf_t) -userdom_manage_user_home_content_dirs(cups_pdf_t) -userdom_manage_user_home_content_files(cups_pdf_t) - -lpd_manage_spool(cups_pdf_t) - - -tunable_policy(`use_nfs_home_dirs',` - fs_search_auto_mountpoints(cups_pdf_t) - fs_manage_nfs_dirs(cups_pdf_t) - fs_manage_nfs_files(cups_pdf_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') - -######################################## -# -# HPLIP local policy -# - -# Needed for USB Scanneer and xsane -allow hplip_t self:capability { dac_override dac_read_search net_raw }; -dontaudit hplip_t self:capability sys_tty_config; -allow hplip_t self:fifo_file rw_fifo_file_perms; -allow hplip_t self:process signal_perms; -allow hplip_t self:unix_dgram_socket create_socket_perms; -allow hplip_t self:unix_stream_socket create_socket_perms; -allow hplip_t self:netlink_route_socket r_netlink_socket_perms; -allow hplip_t self:tcp_socket create_stream_socket_perms; -allow hplip_t self:udp_socket create_socket_perms; -allow hplip_t self:rawip_socket create_socket_perms; - -allow hplip_t cupsd_etc_t:dir search_dir_perms; -manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) - -cups_stream_connect(hplip_t) - -allow hplip_t hplip_etc_t:dir list_dir_perms; -read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) -read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) -files_search_etc(hplip_t) - -manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) -manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - -manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) -files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) - -manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) -files_pid_filetrans(hplip_t, hplip_var_run_t, file) - -kernel_read_system_state(hplip_t) -kernel_read_kernel_sysctls(hplip_t) - -corenet_all_recvfrom_unlabeled(hplip_t) -corenet_all_recvfrom_netlabel(hplip_t) -corenet_tcp_sendrecv_generic_if(hplip_t) -corenet_udp_sendrecv_generic_if(hplip_t) -corenet_raw_sendrecv_generic_if(hplip_t) -corenet_tcp_sendrecv_generic_node(hplip_t) -corenet_udp_sendrecv_generic_node(hplip_t) -corenet_raw_sendrecv_generic_node(hplip_t) -corenet_tcp_sendrecv_all_ports(hplip_t) -corenet_udp_sendrecv_all_ports(hplip_t) -corenet_tcp_bind_generic_node(hplip_t) -corenet_udp_bind_generic_node(hplip_t) -corenet_tcp_bind_hplip_port(hplip_t) -corenet_tcp_connect_hplip_port(hplip_t) -corenet_tcp_connect_ipp_port(hplip_t) -corenet_sendrecv_hplip_client_packets(hplip_t) -corenet_receive_hplip_server_packets(hplip_t) -corenet_udp_bind_howl_port(hplip_t) - -dev_read_sysfs(hplip_t) -dev_rw_printer(hplip_t) -dev_read_urand(hplip_t) -dev_read_rand(hplip_t) -dev_rw_generic_usb_dev(hplip_t) -dev_rw_usbfs(hplip_t) - -fs_getattr_all_fs(hplip_t) -fs_search_auto_mountpoints(hplip_t) -fs_rw_anon_inodefs_files(hplip_t) - -# for python -corecmd_exec_bin(hplip_t) - -domain_use_interactive_fds(hplip_t) - -files_read_etc_files(hplip_t) -files_read_etc_runtime_files(hplip_t) -files_read_usr_files(hplip_t) - -logging_send_syslog_msg(hplip_t) - -miscfiles_read_localization(hplip_t) - -sysnet_read_config(hplip_t) - -userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_user_home_dirs(hplip_t) -userdom_dontaudit_search_user_home_content(hplip_t) - -lpd_read_config(hplip_t) -lpd_manage_spool(hplip_t) - -optional_policy(` - dbus_system_bus_client(hplip_t) -') - -optional_policy(` - seutil_sigchld_newrole(hplip_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(hplip_t) -') - -optional_policy(` - udev_read_db(hplip_t) -') - -######################################## -# -# PTAL local policy -# - -allow ptal_t self:capability { chown sys_rawio }; -dontaudit ptal_t self:capability sys_tty_config; -allow ptal_t self:fifo_file rw_fifo_file_perms; -allow ptal_t self:unix_dgram_socket create_socket_perms; -allow ptal_t self:unix_stream_socket create_stream_socket_perms; -allow ptal_t self:tcp_socket create_stream_socket_perms; - -allow ptal_t ptal_etc_t:dir list_dir_perms; -read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) -read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) -files_search_etc(ptal_t) - -manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(ptal_t) -kernel_list_proc(ptal_t) -kernel_read_proc_symlinks(ptal_t) - -corenet_all_recvfrom_unlabeled(ptal_t) -corenet_all_recvfrom_netlabel(ptal_t) -corenet_tcp_sendrecv_generic_if(ptal_t) -corenet_tcp_sendrecv_generic_node(ptal_t) -corenet_tcp_sendrecv_all_ports(ptal_t) -corenet_tcp_bind_generic_node(ptal_t) -corenet_tcp_bind_ptal_port(ptal_t) - -dev_read_sysfs(ptal_t) -dev_read_usbfs(ptal_t) -dev_rw_printer(ptal_t) - -fs_getattr_all_fs(ptal_t) -fs_search_auto_mountpoints(ptal_t) - -domain_use_interactive_fds(ptal_t) - -files_read_etc_files(ptal_t) -files_read_etc_runtime_files(ptal_t) - -logging_send_syslog_msg(ptal_t) - -miscfiles_read_localization(ptal_t) - -sysnet_read_config(ptal_t) - -userdom_dontaudit_use_unpriv_user_fds(ptal_t) -userdom_dontaudit_search_user_home_content(ptal_t) - -optional_policy(` - seutil_sigchld_newrole(ptal_t) -') - -optional_policy(` - udev_read_db(ptal_t) -') diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc deleted file mode 100644 index 48a30de13..000000000 --- a/policy/modules/services/cvs.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - -/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) - -/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - -#CVSWeb file context -/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if deleted file mode 100644 index c43ff4c14..000000000 --- a/policy/modules/services/cvs.if +++ /dev/null @@ -1,82 +0,0 @@ -## Concurrent versions system - -######################################## -## -## Read the CVS data and metadata. -## -## -## -## Domain allowed access. -## -## -# -interface(`cvs_read_data',` - gen_require(` - type cvs_data_t; - ') - - list_dirs_pattern($1, cvs_data_t, cvs_data_t) - read_files_pattern($1, cvs_data_t, cvs_data_t) - read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) -') - -######################################## -## -## Allow the specified domain to execute cvs -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`cvs_exec',` - gen_require(` - type cvs_exec_t; - ') - - can_exec($1, cvs_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an cvs environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the cvs domain. -## -## -## -# -interface(`cvs_admin',` - gen_require(` - type cvs_t, cvs_tmp_t; - type cvs_data_t, cvs_var_run_t; - type cvs_initrc_exec_t; - ') - - allow $1 cvs_t:process { ptrace signal_perms }; - ps_process_pattern($1, cvs_t) - - # Allow cvs_t to restart the apache service - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, cvs_tmp_t) - - admin_pattern($1, cvs_data_t) - - files_list_pids($1) - admin_pattern($1, cvs_var_run_t) -') diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te deleted file mode 100644 index 88e7e97f0..000000000 --- a/policy/modules/services/cvs.te +++ /dev/null @@ -1,115 +0,0 @@ -policy_module(cvs, 1.9.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow cvs daemon to read shadow -##

-## -gen_tunable(allow_cvs_read_shadow, false) - -type cvs_t; -type cvs_exec_t; -inetd_tcp_service_domain(cvs_t, cvs_exec_t) -application_executable_file(cvs_exec_t) -role system_r types cvs_t; - -type cvs_data_t; # customizable -files_type(cvs_data_t) - -type cvs_initrc_exec_t; -init_script_file(cvs_initrc_exec_t) - -type cvs_tmp_t; -files_tmp_file(cvs_tmp_t) - -type cvs_var_run_t; -files_pid_file(cvs_var_run_t) - -######################################## -# -# Local policy -# - -allow cvs_t self:process signal_perms; -allow cvs_t self:fifo_file rw_fifo_file_perms; -allow cvs_t self:tcp_socket connected_stream_socket_perms; -# for identd; cjp: this should probably only be inetd_child rules? -allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow cvs_t self:capability { setuid setgid }; - -manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) -manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) -manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t) - -manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) -manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) -files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir }) - -manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) -files_pid_filetrans(cvs_t, cvs_var_run_t, file) - -kernel_read_kernel_sysctls(cvs_t) -kernel_read_system_state(cvs_t) -kernel_read_network_state(cvs_t) - -corenet_all_recvfrom_unlabeled(cvs_t) -corenet_all_recvfrom_netlabel(cvs_t) -corenet_tcp_sendrecv_generic_if(cvs_t) -corenet_udp_sendrecv_generic_if(cvs_t) -corenet_tcp_sendrecv_generic_node(cvs_t) -corenet_udp_sendrecv_generic_node(cvs_t) -corenet_tcp_sendrecv_all_ports(cvs_t) -corenet_udp_sendrecv_all_ports(cvs_t) - -dev_read_urand(cvs_t) - -fs_getattr_xattr_fs(cvs_t) - -auth_domtrans_chk_passwd(cvs_t) -auth_use_nsswitch(cvs_t) - -corecmd_exec_bin(cvs_t) -corecmd_exec_shell(cvs_t) - -files_read_etc_files(cvs_t) -files_read_etc_runtime_files(cvs_t) -# for identd; cjp: this should probably only be inetd_child rules? -files_search_home(cvs_t) - -logging_send_syslog_msg(cvs_t) -logging_send_audit_msgs(cvs_t) - -miscfiles_read_localization(cvs_t) - -mta_send_mail(cvs_t) - -# cjp: typeattribute doesnt work in conditionals yet -auth_can_read_shadow_passwords(cvs_t) -tunable_policy(`allow_cvs_read_shadow',` - allow cvs_t self:capability dac_override; - auth_tunable_read_shadow(cvs_t) -') - -optional_policy(` - kerberos_keytab_template(cvs, cvs_t) - kerberos_read_config(cvs_t) - kerberos_dontaudit_write_config(cvs_t) -') - -######################################## -# -# CVSWeb policy -# - -optional_policy(` - apache_content_template(cvs) - - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -') diff --git a/policy/modules/services/cyphesis.fc b/policy/modules/services/cyphesis.fc deleted file mode 100644 index c47a77221..000000000 --- a/policy/modules/services/cyphesis.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) - -/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) - -/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if deleted file mode 100644 index 9d4453865..000000000 --- a/policy/modules/services/cyphesis.if +++ /dev/null @@ -1,19 +0,0 @@ -## Cyphesis WorldForge game server - -######################################## -## -## Execute a domain transition to run cyphesis. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`cyphesis_domtrans',` - gen_require(` - type cyphesis_t, cyphesis_exec_t; - ') - - domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) -') diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te deleted file mode 100644 index 25897c94e..000000000 --- a/policy/modules/services/cyphesis.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(cyphesis, 1.2.0) - -######################################## -# -# Declarations -# - -type cyphesis_t; -type cyphesis_exec_t; -init_daemon_domain(cyphesis_t, cyphesis_exec_t) - -type cyphesis_log_t; -logging_log_file(cyphesis_log_t) - -type cyphesis_tmp_t; -files_tmp_file(cyphesis_tmp_t) - -type cyphesis_var_run_t; -files_pid_file(cyphesis_var_run_t) - -######################################## -# -# cyphesis local policy -# - -allow cyphesis_t self:process { setfscreate setsched signal }; -allow cyphesis_t self:fifo_file rw_fifo_file_perms; -allow cyphesis_t self:tcp_socket create_stream_socket_perms; -allow cyphesis_t self:unix_stream_socket create_stream_socket_perms; -allow cyphesis_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) -logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) - -# DAN > Does cyphesis really create a sock_file in /tmp? Why? -allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) - -manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file }) - -kernel_read_system_state(cyphesis_t) -kernel_read_kernel_sysctls(cyphesis_t) - -# DAN> What is cyphesis looking for in /bin? -corecmd_search_bin(cyphesis_t) -corecmd_getattr_bin_files(cyphesis_t) - -corenet_all_recvfrom_unlabeled(cyphesis_t) -corenet_tcp_sendrecv_generic_if(cyphesis_t) -corenet_tcp_sendrecv_generic_node(cyphesis_t) -corenet_tcp_sendrecv_all_ports(cyphesis_t) -corenet_tcp_bind_generic_node(cyphesis_t) -corenet_tcp_bind_cyphesis_port(cyphesis_t) -corenet_sendrecv_cyphesis_server_packets(cyphesis_t) - -dev_read_urand(cyphesis_t) - -# Init script handling -domain_use_interactive_fds(cyphesis_t) - -files_read_etc_files(cyphesis_t) -files_read_usr_files(cyphesis_t) - -logging_send_syslog_msg(cyphesis_t) - -miscfiles_read_localization(cyphesis_t) - -sysnet_dns_name_resolve(cyphesis_t) - -# cyphesis wants to talk to avahi via dbus -optional_policy(` - avahi_dbus_chat(cyphesis_t) - dbus_system_bus_client(cyphesis_t) -') - -optional_policy(` - kerberos_use(cyphesis_t) -') - -optional_policy(` - postgresql_stream_connect(cyphesis_t) -') diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc deleted file mode 100644 index 25546bcaf..000000000 --- a/policy/modules/services/cyrus.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) - -/usr/lib(64)?/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0) -/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) - -/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) -/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if deleted file mode 100644 index e4e86d0a4..000000000 --- a/policy/modules/services/cyrus.if +++ /dev/null @@ -1,81 +0,0 @@ -## Cyrus is an IMAP service intended to be run on sealed servers - -######################################## -## -## Allow caller to create, read, write, -## and delete cyrus data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`cyrus_manage_data',` - gen_require(` - type cyrus_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) -') - -######################################## -## -## Connect to Cyrus using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`cyrus_stream_connect',` - gen_require(` - type cyrus_t, cyrus_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) -') - -######################################## -## -## All of the rules required to administrate -## an cyrus environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the cyrus domain. -## -## -## -# -interface(`cyrus_admin',` - gen_require(` - type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; - type cyrus_var_run_t, cyrus_initrc_exec_t; - ') - - allow $1 cyrus_t:process { ptrace signal_perms }; - ps_process_pattern($1, cyrus_t) - - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, cyrus_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, cyrus_var_lib_t) - - files_list_pids($1) - admin_pattern($1, cyrus_var_run_t) -') diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te deleted file mode 100644 index 2ced0233c..000000000 --- a/policy/modules/services/cyrus.te +++ /dev/null @@ -1,145 +0,0 @@ -policy_module(cyrus, 1.11.0) - -######################################## -# -# Declarations -# - -type cyrus_t; -type cyrus_exec_t; -init_daemon_domain(cyrus_t, cyrus_exec_t) - -type cyrus_initrc_exec_t; -init_script_file(cyrus_initrc_exec_t) - -type cyrus_tmp_t; -files_tmp_file(cyrus_tmp_t) - -type cyrus_var_lib_t; -files_type(cyrus_var_lib_t) - -type cyrus_var_run_t; -files_pid_file(cyrus_var_run_t) - -######################################## -# -# Local policy -# - -allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -dontaudit cyrus_t self:capability sys_tty_config; -allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow cyrus_t self:process setrlimit; -allow cyrus_t self:fd use; -allow cyrus_t self:fifo_file rw_fifo_file_perms; -allow cyrus_t self:sock_file read_sock_file_perms; -allow cyrus_t self:shm create_shm_perms; -allow cyrus_t self:sem create_sem_perms; -allow cyrus_t self:msgq create_msgq_perms; -allow cyrus_t self:msg { send receive }; -allow cyrus_t self:unix_dgram_socket create_socket_perms; -allow cyrus_t self:unix_stream_socket create_stream_socket_perms; -allow cyrus_t self:unix_dgram_socket sendto; -allow cyrus_t self:unix_stream_socket connectto; -allow cyrus_t self:tcp_socket create_stream_socket_perms; -allow cyrus_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) -manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t) -files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir }) - -manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -files_pid_filetrans(cyrus_t, cyrus_var_run_t, file) - -manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(cyrus_t) -kernel_read_system_state(cyrus_t) -kernel_read_all_sysctls(cyrus_t) - -corenet_all_recvfrom_unlabeled(cyrus_t) -corenet_all_recvfrom_netlabel(cyrus_t) -corenet_tcp_sendrecv_generic_if(cyrus_t) -corenet_udp_sendrecv_generic_if(cyrus_t) -corenet_tcp_sendrecv_generic_node(cyrus_t) -corenet_udp_sendrecv_generic_node(cyrus_t) -corenet_tcp_sendrecv_all_ports(cyrus_t) -corenet_udp_sendrecv_all_ports(cyrus_t) -corenet_tcp_bind_generic_node(cyrus_t) -corenet_tcp_bind_mail_port(cyrus_t) -corenet_tcp_bind_lmtp_port(cyrus_t) -corenet_tcp_bind_pop_port(cyrus_t) -corenet_tcp_bind_sieve_port(cyrus_t) -corenet_tcp_connect_all_ports(cyrus_t) -corenet_sendrecv_mail_server_packets(cyrus_t) -corenet_sendrecv_pop_server_packets(cyrus_t) -corenet_sendrecv_lmtp_server_packets(cyrus_t) -corenet_sendrecv_all_client_packets(cyrus_t) - -dev_read_rand(cyrus_t) -dev_read_urand(cyrus_t) -dev_read_sysfs(cyrus_t) - -fs_getattr_all_fs(cyrus_t) -fs_search_auto_mountpoints(cyrus_t) - -corecmd_exec_bin(cyrus_t) - -domain_use_interactive_fds(cyrus_t) - -files_list_var_lib(cyrus_t) -files_read_etc_files(cyrus_t) -files_read_etc_runtime_files(cyrus_t) -files_read_usr_files(cyrus_t) - -auth_use_nsswitch(cyrus_t) - -libs_exec_lib_files(cyrus_t) - -logging_send_syslog_msg(cyrus_t) - -miscfiles_read_localization(cyrus_t) -miscfiles_read_generic_certs(cyrus_t) - -sysnet_read_config(cyrus_t) - -userdom_use_unpriv_users_fds(cyrus_t) -userdom_dontaudit_search_user_home_dirs(cyrus_t) - -mta_manage_spool(cyrus_t) -mta_send_mail(cyrus_t) - -optional_policy(` - cron_system_entry(cyrus_t, cyrus_exec_t) -') - -optional_policy(` - kerberos_keytab_template(cyrus, cyrus_t) -') - -optional_policy(` - ldap_stream_connect(cyrus_t) -') - -optional_policy(` - sasl_connect(cyrus_t) -') - -optional_policy(` - seutil_sigchld_newrole(cyrus_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(cyrus_t) - snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) - snmp_stream_connect(cyrus_t) -') - -optional_policy(` - udev_read_db(cyrus_t) -') diff --git a/policy/modules/services/dante.fc b/policy/modules/services/dante.fc deleted file mode 100644 index 139171dc9..000000000 --- a/policy/modules/services/dante.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0) - -/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) - -/var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) diff --git a/policy/modules/services/dante.if b/policy/modules/services/dante.if deleted file mode 100644 index 704661c69..000000000 --- a/policy/modules/services/dante.if +++ /dev/null @@ -1 +0,0 @@ -## Dante msproxy and socks4/5 proxy server diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te deleted file mode 100644 index a8b93c022..000000000 --- a/policy/modules/services/dante.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(dante, 1.7.0) - -######################################## -# -# Declarations -# - -type dante_t; -type dante_exec_t; -init_daemon_domain(dante_t, dante_exec_t) - -type dante_conf_t; -files_type(dante_conf_t) - -type dante_var_run_t; -files_pid_file(dante_var_run_t) - -######################################## -# -# Local policy -# - -allow dante_t self:capability { setuid setgid }; -dontaudit dante_t self:capability sys_tty_config; -allow dante_t self:process signal_perms; -allow dante_t self:fifo_file rw_fifo_file_perms; -allow dante_t self:tcp_socket create_stream_socket_perms; -allow dante_t self:udp_socket create_socket_perms; - -allow dante_t dante_conf_t:dir list_dir_perms; -allow dante_t dante_conf_t:file read_file_perms; - -manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t) -files_pid_filetrans(dante_t, dante_var_run_t, file) - -kernel_read_kernel_sysctls(dante_t) -kernel_list_proc(dante_t) -kernel_read_proc_symlinks(dante_t) - -corenet_all_recvfrom_unlabeled(dante_t) -corenet_all_recvfrom_netlabel(dante_t) -corenet_tcp_sendrecv_generic_if(dante_t) -corenet_udp_sendrecv_generic_if(dante_t) -corenet_tcp_sendrecv_generic_node(dante_t) -corenet_udp_sendrecv_generic_node(dante_t) -corenet_tcp_sendrecv_all_ports(dante_t) -corenet_udp_sendrecv_all_ports(dante_t) -corenet_tcp_bind_generic_node(dante_t) -#TODO: no portcons for this type -#allow dante_t socks_port_t:tcp_socket name_bind; - -dev_read_sysfs(dante_t) - -domain_use_interactive_fds(dante_t) - -files_read_etc_files(dante_t) -files_read_etc_runtime_files(dante_t) - -fs_getattr_all_fs(dante_t) -fs_search_auto_mountpoints(dante_t) - -init_write_utmp(dante_t) - -logging_send_syslog_msg(dante_t) - -miscfiles_read_localization(dante_t) - -sysnet_read_config(dante_t) - -userdom_dontaudit_use_unpriv_user_fds(dante_t) -userdom_dontaudit_search_user_home_dirs(dante_t) - -optional_policy(` - seutil_sigchld_newrole(dante_t) -') - -optional_policy(` - udev_read_db(dante_t) -') diff --git a/policy/modules/services/dbskk.fc b/policy/modules/services/dbskk.fc deleted file mode 100644 index 7af259038..000000000 --- a/policy/modules/services/dbskk.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0) diff --git a/policy/modules/services/dbskk.if b/policy/modules/services/dbskk.if deleted file mode 100644 index 9e7100483..000000000 --- a/policy/modules/services/dbskk.if +++ /dev/null @@ -1 +0,0 @@ -## Dictionary server for the SKK Japanese input method system. diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te deleted file mode 100644 index 1445f97d8..000000000 --- a/policy/modules/services/dbskk.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(dbskk, 1.5.0) - -######################################## -# -# Declarations -# - -type dbskkd_t; -type dbskkd_exec_t; -inetd_service_domain(dbskkd_t, dbskkd_exec_t) -role system_r types dbskkd_t; - -type dbskkd_tmp_t; -files_tmp_file(dbskkd_tmp_t) - -type dbskkd_var_run_t; -files_pid_file(dbskkd_var_run_t) - -######################################## -# -# Local policy -# - -allow dbskkd_t self:process signal_perms; -allow dbskkd_t self:fifo_file rw_fifo_file_perms; -allow dbskkd_t self:tcp_socket connected_stream_socket_perms; -allow dbskkd_t self:udp_socket create_socket_perms; - -# for identd -# cjp: this should probably only be inetd_child rules? -allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow dbskkd_t self:capability { setuid setgid }; -files_search_home(dbskkd_t) -optional_policy(` - kerberos_use(dbskkd_t) -') -#end for identd - -manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) -manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) -files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) - -manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t) -files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file) - -kernel_read_kernel_sysctls(dbskkd_t) -kernel_read_system_state(dbskkd_t) -kernel_read_network_state(dbskkd_t) - -corenet_all_recvfrom_unlabeled(dbskkd_t) -corenet_all_recvfrom_netlabel(dbskkd_t) -corenet_tcp_sendrecv_generic_if(dbskkd_t) -corenet_udp_sendrecv_generic_if(dbskkd_t) -corenet_tcp_sendrecv_generic_node(dbskkd_t) -corenet_udp_sendrecv_generic_node(dbskkd_t) -corenet_tcp_sendrecv_all_ports(dbskkd_t) -corenet_udp_sendrecv_all_ports(dbskkd_t) - -dev_read_urand(dbskkd_t) - -fs_getattr_xattr_fs(dbskkd_t) - -files_read_etc_files(dbskkd_t) - -auth_use_nsswitch(dbskkd_t) - -logging_send_syslog_msg(dbskkd_t) - -miscfiles_read_localization(dbskkd_t) diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc deleted file mode 100644 index 81eba149f..000000000 --- a/policy/modules/services/dbus.fc +++ /dev/null @@ -1,17 +0,0 @@ -/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) - -/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - -/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) - -ifdef(`distro_redhat',` -/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if deleted file mode 100644 index 1a1becddc..000000000 --- a/policy/modules/services/dbus.if +++ /dev/null @@ -1,500 +0,0 @@ -## Desktop messaging bus - -######################################## -## -## DBUS stub interface. No access allowed. -## -## -## -## Domain allowed access -## -## -# -interface(`dbus_stub',` - gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; - ') -') - -######################################## -## -## Role access for dbus -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -template(`dbus_role_template',` - gen_require(` - class dbus { send_msg acquire_svc }; - - attribute session_bus_type; - type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; - ') - - ############################## - # - # Delcarations - # - - type $1_dbusd_t, session_bus_type; - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) - role $2 types $1_dbusd_t; - - ############################## - # - # Local policy - # - - allow $1_dbusd_t self:process { getattr sigkill signal }; - dontaudit $1_dbusd_t self:process ptrace; - allow $1_dbusd_t self:file { getattr read write }; - allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; - allow $1_dbusd_t self:dbus { send_msg acquire_svc }; - allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; - allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; - allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; - allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; - - # For connecting to the bus - allow $3 $1_dbusd_t:unix_stream_socket connectto; - - # SE-DBus specific permissions - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) - - manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) - files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) - - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - allow $3 $1_dbusd_t:process { signull sigkill signal }; - - # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) - allow $1_dbusd_t $3:process sigkill; - allow $3 $1_dbusd_t:fd use; - allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; - allow $3 $1_dbusd_t:process sigchld; - - kernel_read_system_state($1_dbusd_t) - kernel_read_kernel_sysctls($1_dbusd_t) - - corecmd_list_bin($1_dbusd_t) - corecmd_read_bin_symlinks($1_dbusd_t) - corecmd_read_bin_files($1_dbusd_t) - corecmd_read_bin_pipes($1_dbusd_t) - corecmd_read_bin_sockets($1_dbusd_t) - - corenet_all_recvfrom_unlabeled($1_dbusd_t) - corenet_all_recvfrom_netlabel($1_dbusd_t) - corenet_tcp_sendrecv_generic_if($1_dbusd_t) - corenet_tcp_sendrecv_generic_node($1_dbusd_t) - corenet_tcp_sendrecv_all_ports($1_dbusd_t) - corenet_tcp_bind_generic_node($1_dbusd_t) - corenet_tcp_bind_reserved_port($1_dbusd_t) - - dev_read_urand($1_dbusd_t) - - domain_use_interactive_fds($1_dbusd_t) - domain_read_all_domains_state($1_dbusd_t) - - files_read_etc_files($1_dbusd_t) - files_list_home($1_dbusd_t) - files_read_usr_files($1_dbusd_t) - files_dontaudit_search_var($1_dbusd_t) - - fs_getattr_romfs($1_dbusd_t) - fs_getattr_xattr_fs($1_dbusd_t) - fs_list_inotifyfs($1_dbusd_t) - fs_dontaudit_list_nfs($1_dbusd_t) - - selinux_get_fs_mount($1_dbusd_t) - selinux_validate_context($1_dbusd_t) - selinux_compute_access_vector($1_dbusd_t) - selinux_compute_create_context($1_dbusd_t) - selinux_compute_relabel_context($1_dbusd_t) - selinux_compute_user_contexts($1_dbusd_t) - - auth_read_pam_console_data($1_dbusd_t) - auth_use_nsswitch($1_dbusd_t) - - logging_send_audit_msgs($1_dbusd_t) - logging_send_syslog_msg($1_dbusd_t) - - miscfiles_read_localization($1_dbusd_t) - - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - - term_use_all_terms($1_dbusd_t) - - userdom_read_user_home_content_files($1_dbusd_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') - - optional_policy(` - hal_dbus_chat($1_dbusd_t) - ') - - optional_policy(` - xserver_use_xdm_fds($1_dbusd_t) - xserver_rw_xdm_pipes($1_dbusd_t) - ') -') - -####################################### -## -## Template for creating connections to -## the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_system_bus_client',` - gen_require(` - type system_dbusd_t, system_dbusd_t; - type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; - ') - - # SE-DBus specific permissions - allow $1 { system_dbusd_t self }:dbus send_msg; - allow system_dbusd_t $1:dbus send_msg; - - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - files_search_var_lib($1) - - # For connecting to the bus - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($1) -') - -####################################### -## -## Template for creating connections to -## a user DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_session_bus_client',` - gen_require(` - attribute session_bus_type; - class dbus send_msg; - ') - - # SE-DBus specific permissions - allow $1 { session_bus_type self }:dbus send_msg; - - # For connecting to the bus - allow $1 session_bus_type:unix_stream_socket connectto; -') - -######################################## -## -## Send a message the session DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_send_session_bus',` - gen_require(` - attribute session_bus_type; - class dbus send_msg; - ') - - allow $1 session_bus_type:dbus send_msg; -') - -######################################## -## -## Read dbus configuration. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_read_config',` - gen_require(` - type dbusd_etc_t; - ') - - allow $1 dbusd_etc_t:dir list_dir_perms; - allow $1 dbusd_etc_t:file read_file_perms; -') - -######################################## -## -## Read system dbus lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_read_lib_files',` - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## system dbus lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_manage_lib_files',` - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -') - -######################################## -## -## Connect to the system DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_connect_session_bus',` - gen_require(` - attribute session_bus_type; - class dbus acquire_svc; - ') - - allow $1 session_bus_type:dbus acquire_svc; -') - -######################################## -## -## Allow a application domain to be started -## by the session dbus. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an -## entry point to this domain. -## -## -# -interface(`dbus_session_domain',` - gen_require(` - attribute session_bus_type; - ') - - domtrans_pattern(session_bus_type, $2, $1) - - dbus_session_bus_client($1) - dbus_connect_session_bus($1) -') - -######################################## -## -## Connect to the system DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_connect_system_bus',` - gen_require(` - type system_dbusd_t; - class dbus acquire_svc; - ') - - allow $1 system_dbusd_t:dbus acquire_svc; -') - -######################################## -## -## Send a message on the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_send_system_bus',` - gen_require(` - type system_dbusd_t; - class dbus send_msg; - ') - - allow $1 system_dbusd_t:dbus send_msg; -') - -######################################## -## -## Allow unconfined access to the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_system_bus_unconfined',` - gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; - ') - - allow $1 system_dbusd_t:dbus *; -') - -######################################## -## -## Create a domain for processes -## which can be started by the system dbus -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`dbus_system_domain',` - gen_require(` - type system_dbusd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(system_dbusd_t, $2, $1) - - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) - - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') -') - -######################################## -## -## Use and inherit system DBUS file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_use_system_bus_fds',` - gen_require(` - type system_dbusd_t; - ') - - allow $1 system_dbusd_t:fd use; -') - -######################################## -## -## Dontaudit Read, and write system dbus TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` - gen_require(` - type system_dbusd_t; - ') - - allow $1 system_dbusd_t:tcp_socket { read write }; - allow $1 system_dbusd_t:fd use; -') - -######################################## -## -## Allow unconfined access to the system DBUS. -## -## -## -## Domain allowed access. -## -## -# -interface(`dbus_unconfined',` - gen_require(` - attribute dbusd_unconfined; - ') - - typeattribute $1 dbusd_unconfined; -') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te deleted file mode 100644 index 7ef51588f..000000000 --- a/policy/modules/services/dbus.te +++ /dev/null @@ -1,162 +0,0 @@ -policy_module(dbus, 1.15.0) - -gen_require(` - class dbus all_dbus_perms; -') - -############################## -# -# Delcarations -# - -attribute dbusd_unconfined; -attribute session_bus_type; - -type dbusd_etc_t; -files_config_file(dbusd_etc_t) - -type dbusd_exec_t; -corecmd_executable_file(dbusd_exec_t) -typealias dbusd_exec_t alias system_dbusd_exec_t; - -type session_dbusd_tmp_t; -typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; -typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -files_tmp_file(session_dbusd_tmp_t) -ubac_constrained(session_dbusd_tmp_t) - -type system_dbusd_t; -init_system_domain(system_dbusd_t, dbusd_exec_t) - -type system_dbusd_tmp_t; -files_tmp_file(system_dbusd_tmp_t) - -type system_dbusd_var_lib_t; -files_type(system_dbusd_var_lib_t) - -type system_dbusd_var_run_t; -files_pid_file(system_dbusd_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) -') - -############################## -# -# System bus local policy -# - -# dac_override: /var/run/dbus is owned by messagebus on Debian -# cjp: dac_override should probably go in a distro_debian -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; -dontaudit system_dbusd_t self:capability sys_tty_config; -allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; -allow system_dbusd_t self:fifo_file rw_fifo_file_perms; -allow system_dbusd_t self:dbus { send_msg acquire_svc }; -allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -allow system_dbusd_t self:unix_dgram_socket create_socket_perms; -# Receive notifications of policy reloads and enforcing status changes. -allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -can_exec(system_dbusd_t, dbusd_exec_t) - -allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; -read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - -manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) - -read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - -manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) - -kernel_read_system_state(system_dbusd_t) -kernel_read_kernel_sysctls(system_dbusd_t) - -dev_read_urand(system_dbusd_t) -dev_read_sysfs(system_dbusd_t) - -fs_getattr_all_fs(system_dbusd_t) -fs_list_inotifyfs(system_dbusd_t) -fs_search_auto_mountpoints(system_dbusd_t) -fs_dontaudit_list_nfs(system_dbusd_t) - -mls_fd_use_all_levels(system_dbusd_t) -mls_rangetrans_target(system_dbusd_t) -mls_file_read_all_levels(system_dbusd_t) -mls_socket_write_all_levels(system_dbusd_t) -mls_socket_read_to_clearance(system_dbusd_t) -mls_dbus_recv_all_levels(system_dbusd_t) - -selinux_get_fs_mount(system_dbusd_t) -selinux_validate_context(system_dbusd_t) -selinux_compute_access_vector(system_dbusd_t) -selinux_compute_create_context(system_dbusd_t) -selinux_compute_relabel_context(system_dbusd_t) -selinux_compute_user_contexts(system_dbusd_t) - -term_dontaudit_use_console(system_dbusd_t) - -auth_use_nsswitch(system_dbusd_t) -auth_read_pam_console_data(system_dbusd_t) - -corecmd_list_bin(system_dbusd_t) -corecmd_read_bin_pipes(system_dbusd_t) -corecmd_read_bin_sockets(system_dbusd_t) - -domain_use_interactive_fds(system_dbusd_t) -domain_read_all_domains_state(system_dbusd_t) - -files_read_etc_files(system_dbusd_t) -files_list_home(system_dbusd_t) -files_read_usr_files(system_dbusd_t) - -init_use_fds(system_dbusd_t) -init_use_script_ptys(system_dbusd_t) -init_domtrans_script(system_dbusd_t) - -logging_send_audit_msgs(system_dbusd_t) -logging_send_syslog_msg(system_dbusd_t) - -miscfiles_read_localization(system_dbusd_t) -miscfiles_read_generic_certs(system_dbusd_t) - -seutil_read_config(system_dbusd_t) -seutil_read_default_contexts(system_dbusd_t) -seutil_sigchld_newrole(system_dbusd_t) - -userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) -userdom_dontaudit_search_user_home_dirs(system_dbusd_t) - -optional_policy(` - bind_domtrans(system_dbusd_t) -') - -optional_policy(` - policykit_dbus_chat(system_dbusd_t) - policykit_domtrans_auth(system_dbusd_t) - policykit_search_lib(system_dbusd_t) -') - -optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) -') - -optional_policy(` - udev_read_db(system_dbusd_t) -') - -######################################## -# -# Unconfined access to this module -# - -allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc deleted file mode 100644 index ecda170ae..000000000 --- a/policy/modules/services/dcc.fc +++ /dev/null @@ -1,21 +0,0 @@ -/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) -/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) -/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) - -/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) -/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) -/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) -/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) - -/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - -/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) -/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if deleted file mode 100644 index 784753e6b..000000000 --- a/policy/modules/services/dcc.if +++ /dev/null @@ -1,173 +0,0 @@ -## Distributed checksum clearinghouse spam filtering - -######################################## -## -## Execute cdcc in the cdcc domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dcc_domtrans_cdcc',` - gen_require(` - type cdcc_t, cdcc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cdcc_exec_t, cdcc_t) -') - -######################################## -## -## Execute cdcc in the cdcc domain, and -## allow the specified role the cdcc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dcc_run_cdcc',` - gen_require(` - type cdcc_t; - ') - - dcc_domtrans_cdcc($1) - role $2 types cdcc_t; -') - -######################################## -## -## Execute dcc_client in the dcc_client domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dcc_domtrans_client',` - gen_require(` - type dcc_client_t, dcc_client_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) -') - -######################################## -## -## Send a signal to the dcc_client. -## -## -## -## Domain allowed access. -## -## -# -interface(`dcc_signal_client',` - gen_require(` - type dcc_client_t; - ') - - allow $1 dcc_client_t:process signal; -') - -######################################## -## -## Execute dcc_client in the dcc_client domain, and -## allow the specified role the dcc_client domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dcc_run_client',` - gen_require(` - type dcc_client_t; - ') - - dcc_domtrans_client($1) - role $2 types dcc_client_t; -') - -######################################## -## -## Execute dbclean in the dcc_dbclean domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dcc_domtrans_dbclean',` - gen_require(` - type dcc_dbclean_t, dcc_dbclean_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t) -') - -######################################## -## -## Execute dbclean in the dcc_dbclean domain, and -## allow the specified role the dcc_dbclean domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`dcc_run_dbclean',` - gen_require(` - type dcc_dbclean_t; - ') - - dcc_domtrans_dbclean($1) - role $2 types dcc_dbclean_t; -') - -######################################## -## -## Connect to dccifd over a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`dcc_stream_connect_dccifd',` - gen_require(` - type dcc_var_t, dccifd_var_run_t, dccifd_t; - ') - - files_search_var($1) - stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) -') diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te deleted file mode 100644 index ec19ff4a3..000000000 --- a/policy/modules/services/dcc.te +++ /dev/null @@ -1,404 +0,0 @@ -policy_module(dcc, 1.10.0) - -######################################## -# -# Declarations -# - -type cdcc_t; -type cdcc_exec_t; -application_domain(cdcc_t, cdcc_exec_t) -role system_r types cdcc_t; - -type cdcc_tmp_t; -files_tmp_file(cdcc_tmp_t) - -type dcc_client_t; -type dcc_client_exec_t; -application_domain(dcc_client_t, dcc_client_exec_t) -role system_r types dcc_client_t; - -type dcc_client_map_t; -files_type(dcc_client_map_t) - -type dcc_client_tmp_t; -files_tmp_file(dcc_client_tmp_t) - -type dcc_dbclean_t; -type dcc_dbclean_exec_t; -application_domain(dcc_dbclean_t, dcc_dbclean_exec_t) -role system_r types dcc_dbclean_t; - -type dcc_dbclean_tmp_t; -files_tmp_file(dcc_dbclean_tmp_t) - -type dcc_var_t; -files_type(dcc_var_t) - -type dcc_var_run_t; -files_type(dcc_var_run_t) - -type dccd_t; -type dccd_exec_t; -init_daemon_domain(dccd_t, dccd_exec_t) - -type dccd_tmp_t; -files_tmp_file(dccd_tmp_t) - -type dccd_var_run_t; -files_pid_file(dccd_var_run_t) - -type dccifd_t; -type dccifd_exec_t; -init_daemon_domain(dccifd_t, dccifd_exec_t) - -type dccifd_tmp_t; -files_tmp_file(dccifd_tmp_t) - -type dccifd_var_run_t; -files_pid_file(dccifd_var_run_t) - -type dccm_t; -type dccm_exec_t; -init_daemon_domain(dccm_t, dccm_exec_t) - -type dccm_tmp_t; -files_tmp_file(dccm_tmp_t) - -type dccm_var_run_t; -files_pid_file(dccm_var_run_t) - -# NOTE: DCC has writeable files in /etc/dcc that should probably be in -# /var/lib/dcc. For now this policy supports both directories being -# writable. - -# cjp: dccifd and dccm should be merged, as -# they have the same rules. - -######################################## -# -# dcc daemon controller local policy -# - -allow cdcc_t self:capability { setuid setgid }; -allow cdcc_t self:unix_dgram_socket create_socket_perms; -allow cdcc_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) -manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t) -files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir }) - -allow cdcc_t dcc_client_map_t:file rw_file_perms; - -# Access files in /var/dcc. The map file can be updated -allow cdcc_t dcc_var_t:dir list_dir_perms; -read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) - -corenet_all_recvfrom_unlabeled(cdcc_t) -corenet_all_recvfrom_netlabel(cdcc_t) -corenet_udp_sendrecv_generic_if(cdcc_t) -corenet_udp_sendrecv_generic_node(cdcc_t) -corenet_udp_sendrecv_all_ports(cdcc_t) - -files_read_etc_files(cdcc_t) -files_read_etc_runtime_files(cdcc_t) - -auth_use_nsswitch(cdcc_t) - -logging_send_syslog_msg(cdcc_t) - -miscfiles_read_localization(cdcc_t) - -userdom_use_user_terminals(cdcc_t) - -######################################## -# -# dcc procmail interface local policy -# - -allow dcc_client_t self:capability { setuid setgid }; -allow dcc_client_t self:unix_dgram_socket create_socket_perms; -allow dcc_client_t self:udp_socket create_socket_perms; - -allow dcc_client_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) -manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) -files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) - -# Access files in /var/dcc. The map file can be updated -allow dcc_client_t dcc_var_t:dir list_dir_perms; -manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) - -kernel_read_system_state(dcc_client_t) - -corenet_all_recvfrom_unlabeled(dcc_client_t) -corenet_all_recvfrom_netlabel(dcc_client_t) -corenet_udp_sendrecv_generic_if(dcc_client_t) -corenet_udp_sendrecv_generic_node(dcc_client_t) -corenet_udp_sendrecv_all_ports(dcc_client_t) -corenet_udp_bind_generic_node(dcc_client_t) - -files_read_etc_files(dcc_client_t) -files_read_etc_runtime_files(dcc_client_t) - -fs_getattr_all_fs(dcc_client_t) - -auth_use_nsswitch(dcc_client_t) - -logging_send_syslog_msg(dcc_client_t) - -miscfiles_read_localization(dcc_client_t) - -userdom_use_user_terminals(dcc_client_t) - -optional_policy(` - amavis_read_spool_files(dcc_client_t) -') - -optional_policy(` - spamassassin_read_spamd_tmp_files(dcc_client_t) -') - -######################################## -# -# Database cleanup tool local policy -# - -allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms; -allow dcc_dbclean_t self:udp_socket create_socket_perms; - -allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) -manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) -files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir }) - -manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) - -kernel_read_system_state(dcc_dbclean_t) - -corenet_all_recvfrom_unlabeled(dcc_dbclean_t) -corenet_all_recvfrom_netlabel(dcc_dbclean_t) -corenet_udp_sendrecv_generic_if(dcc_dbclean_t) -corenet_udp_sendrecv_generic_node(dcc_dbclean_t) -corenet_udp_sendrecv_all_ports(dcc_dbclean_t) - -files_read_etc_files(dcc_dbclean_t) -files_read_etc_runtime_files(dcc_dbclean_t) - -auth_use_nsswitch(dcc_dbclean_t) - -logging_send_syslog_msg(dcc_dbclean_t) - -miscfiles_read_localization(dcc_dbclean_t) - -userdom_use_user_terminals(dcc_dbclean_t) - -######################################## -# -# Server daemon local policy -# - -allow dccd_t self:capability net_admin; -dontaudit dccd_t self:capability sys_tty_config; -allow dccd_t self:process signal_perms; -allow dccd_t self:unix_stream_socket create_socket_perms; -allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow dccd_t self:udp_socket create_socket_perms; - -allow dccd_t dcc_client_map_t:file rw_file_perms; - -# Access files in /var/dcc. The map file can be updated -allow dccd_t dcc_var_t:dir list_dir_perms; -read_files_pattern(dccd_t, dcc_var_t, dcc_var_t) -read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) - -# Runs the dbclean program -domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) -corecmd_search_bin(dccd_t) - -# Updating dcc_db, flod, ... -manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) -manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) -files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) - -manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) - -kernel_read_system_state(dccd_t) -kernel_read_kernel_sysctls(dccd_t) - -corenet_all_recvfrom_unlabeled(dccd_t) -corenet_all_recvfrom_netlabel(dccd_t) -corenet_udp_sendrecv_generic_if(dccd_t) -corenet_udp_sendrecv_generic_node(dccd_t) -corenet_udp_sendrecv_all_ports(dccd_t) -corenet_udp_bind_generic_node(dccd_t) -corenet_udp_bind_dcc_port(dccd_t) -corenet_sendrecv_dcc_server_packets(dccd_t) - -dev_read_sysfs(dccd_t) - -domain_use_interactive_fds(dccd_t) - -files_read_etc_files(dccd_t) -files_read_etc_runtime_files(dccd_t) - -fs_getattr_all_fs(dccd_t) -fs_search_auto_mountpoints(dccd_t) - -auth_use_nsswitch(dccd_t) - -logging_send_syslog_msg(dccd_t) - -miscfiles_read_localization(dccd_t) - -userdom_dontaudit_use_unpriv_user_fds(dccd_t) -userdom_dontaudit_search_user_home_dirs(dccd_t) - -optional_policy(` - seutil_sigchld_newrole(dccd_t) -') - -optional_policy(` - udev_read_db(dccd_t) -') - -######################################## -# -# Spamassassin and general MTA persistent client local policy -# - -dontaudit dccifd_t self:capability sys_tty_config; -allow dccifd_t self:process signal_perms; -allow dccifd_t self:unix_stream_socket create_stream_socket_perms; -allow dccifd_t self:unix_dgram_socket create_socket_perms; -allow dccifd_t self:udp_socket create_socket_perms; - -allow dccifd_t dcc_client_map_t:file rw_file_perms; - -# Updating dcc_db, flod, ... -manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) -manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) -manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) -files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir }) - -manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file }) -files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) - -kernel_read_system_state(dccifd_t) -kernel_read_kernel_sysctls(dccifd_t) - -corenet_all_recvfrom_unlabeled(dccifd_t) -corenet_all_recvfrom_netlabel(dccifd_t) -corenet_udp_sendrecv_generic_if(dccifd_t) -corenet_udp_sendrecv_generic_node(dccifd_t) -corenet_udp_sendrecv_all_ports(dccifd_t) - -dev_read_sysfs(dccifd_t) - -domain_use_interactive_fds(dccifd_t) - -files_read_etc_files(dccifd_t) -files_read_etc_runtime_files(dccifd_t) - -fs_getattr_all_fs(dccifd_t) -fs_search_auto_mountpoints(dccifd_t) - -auth_use_nsswitch(dccifd_t) - -logging_send_syslog_msg(dccifd_t) - -miscfiles_read_localization(dccifd_t) - -userdom_dontaudit_use_unpriv_user_fds(dccifd_t) -userdom_dontaudit_search_user_home_dirs(dccifd_t) - -optional_policy(` - seutil_sigchld_newrole(dccifd_t) -') - -optional_policy(` - udev_read_db(dccifd_t) -') - -######################################## -# -# sendmail milter client local policy -# - -dontaudit dccm_t self:capability sys_tty_config; -allow dccm_t self:process signal_perms; -allow dccm_t self:unix_stream_socket create_stream_socket_perms; -allow dccm_t self:unix_dgram_socket create_socket_perms; -allow dccm_t self:udp_socket create_socket_perms; - -allow dccm_t dcc_client_map_t:file rw_file_perms; - -manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t) -manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t) - -manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) -manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) -files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir }) - -manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file }) -files_pid_filetrans(dccm_t, dccm_var_run_t, file) - -kernel_read_system_state(dccm_t) -kernel_read_kernel_sysctls(dccm_t) - -corenet_all_recvfrom_unlabeled(dccm_t) -corenet_all_recvfrom_netlabel(dccm_t) -corenet_udp_sendrecv_generic_if(dccm_t) -corenet_udp_sendrecv_generic_node(dccm_t) -corenet_udp_sendrecv_all_ports(dccm_t) - -dev_read_sysfs(dccm_t) - -domain_use_interactive_fds(dccm_t) - -files_read_etc_files(dccm_t) -files_read_etc_runtime_files(dccm_t) - -fs_getattr_all_fs(dccm_t) -fs_search_auto_mountpoints(dccm_t) - -auth_use_nsswitch(dccm_t) - -logging_send_syslog_msg(dccm_t) - -miscfiles_read_localization(dccm_t) - -userdom_dontaudit_use_unpriv_user_fds(dccm_t) -userdom_dontaudit_search_user_home_dirs(dccm_t) - -optional_policy(` - seutil_sigchld_newrole(dccm_t) -') - -optional_policy(` - udev_read_db(dccm_t) -') diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc deleted file mode 100644 index 083c1351b..000000000 --- a/policy/modules/services/ddclient.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) -/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) -/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) - -/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) -/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) - -/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0) -/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) -/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) -/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) -/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if deleted file mode 100644 index 0a1a61b33..000000000 --- a/policy/modules/services/ddclient.if +++ /dev/null @@ -1,93 +0,0 @@ -## Update dynamic IP address at DynDNS.org - -####################################### -## -## Execute ddclient in the ddclient domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ddclient_domtrans',` - gen_require(` - type ddclient_t, ddclient_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ddclient_exec_t, ddclient_t) -') - -######################################## -## -## Execute ddclient daemon on behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ddclient_run',` - gen_require(` - type ddclient_t; - ') - - ddclient_domtrans($1) - role $2 types ddclient_t; -') - -######################################## -## -## All of the rules required to administrate -## an ddclient environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ddclient domain. -## -## -## -# -interface(`ddclient_admin',` - gen_require(` - type ddclient_t, ddclient_etc_t, ddclient_log_t; - type ddclient_var_t, ddclient_var_lib_t; - type ddclient_var_run_t, ddclient_initrc_exec_t; - ') - - allow $1 ddclient_t:process { ptrace signal_perms }; - ps_process_pattern($1, ddclient_t) - - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ddclient_etc_t) - - logging_list_logs($1) - admin_pattern($1, ddclient_log_t) - - files_list_var($1) - admin_pattern($1, ddclient_var_t) - - files_list_var_lib($1) - admin_pattern($1, ddclient_var_lib_t) - - files_list_pids($1) - admin_pattern($1, ddclient_var_run_t) -') diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te deleted file mode 100644 index 24ba98a63..000000000 --- a/policy/modules/services/ddclient.te +++ /dev/null @@ -1,108 +0,0 @@ -policy_module(ddclient, 1.9.0) - -######################################## -# -# Declarations -# - -type ddclient_t; -type ddclient_exec_t; -init_daemon_domain(ddclient_t, ddclient_exec_t) - -type ddclient_etc_t; -files_config_file(ddclient_etc_t) - -type ddclient_initrc_exec_t; -init_script_file(ddclient_initrc_exec_t) - -type ddclient_log_t; -logging_log_file(ddclient_log_t) - -type ddclient_var_t; -files_type(ddclient_var_t) - -type ddclient_var_lib_t; -files_type(ddclient_var_lib_t) - -type ddclient_var_run_t; -files_pid_file(ddclient_var_run_t) - -######################################## -# -# Declarations -# - -dontaudit ddclient_t self:capability sys_tty_config; -allow ddclient_t self:process signal_perms; -allow ddclient_t self:fifo_file rw_fifo_file_perms; -allow ddclient_t self:tcp_socket create_socket_perms; -allow ddclient_t self:udp_socket create_socket_perms; - -allow ddclient_t ddclient_etc_t:file read_file_perms; - -allow ddclient_t ddclient_log_t:file manage_file_perms; -logging_log_filetrans(ddclient_t, ddclient_log_t, file) - -manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file }) - -manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) -files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file) - -manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) -files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) - -kernel_read_system_state(ddclient_t) -kernel_read_network_state(ddclient_t) -kernel_read_software_raid_state(ddclient_t) -kernel_getattr_core_if(ddclient_t) -kernel_getattr_message_if(ddclient_t) -kernel_read_kernel_sysctls(ddclient_t) - -corecmd_exec_shell(ddclient_t) -corecmd_exec_bin(ddclient_t) - -corenet_all_recvfrom_unlabeled(ddclient_t) -corenet_all_recvfrom_netlabel(ddclient_t) -corenet_tcp_sendrecv_generic_if(ddclient_t) -corenet_udp_sendrecv_generic_if(ddclient_t) -corenet_tcp_sendrecv_generic_node(ddclient_t) -corenet_udp_sendrecv_generic_node(ddclient_t) -corenet_tcp_sendrecv_all_ports(ddclient_t) -corenet_udp_sendrecv_all_ports(ddclient_t) -corenet_tcp_connect_all_ports(ddclient_t) -corenet_sendrecv_all_client_packets(ddclient_t) - -dev_read_sysfs(ddclient_t) -dev_read_urand(ddclient_t) - -domain_use_interactive_fds(ddclient_t) - -files_read_etc_files(ddclient_t) -files_read_etc_runtime_files(ddclient_t) -files_read_usr_files(ddclient_t) - -fs_getattr_all_fs(ddclient_t) -fs_search_auto_mountpoints(ddclient_t) - -logging_send_syslog_msg(ddclient_t) - -miscfiles_read_localization(ddclient_t) - -sysnet_exec_ifconfig(ddclient_t) -sysnet_read_config(ddclient_t) - -userdom_dontaudit_use_unpriv_user_fds(ddclient_t) -userdom_dontaudit_search_user_home_dirs(ddclient_t) - -optional_policy(` - seutil_sigchld_newrole(ddclient_t) -') - -optional_policy(` - udev_read_db(ddclient_t) -') diff --git a/policy/modules/services/denyhosts.fc b/policy/modules/services/denyhosts.fc deleted file mode 100644 index 257fef603..000000000 --- a/policy/modules/services/denyhosts.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0) - -/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) - -/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) -/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) -/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if deleted file mode 100644 index 567865f3b..000000000 --- a/policy/modules/services/denyhosts.if +++ /dev/null @@ -1,85 +0,0 @@ -## DenyHosts SSH dictionary attack mitigation -## -##

-## DenyHosts is a script intended to be run by Linux -## system administrators to help thwart SSH server attacks -## (also known as dictionary based attacks and brute force -## attacks). -##

-## - -######################################## -## -## Execute a domain transition to run denyhosts. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`denyhosts_domtrans', ` - gen_require(` - type denyhosts_t, denyhosts_exec_t; - ') - - domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) -') - -######################################## -## -## Execute denyhost server in the denyhost domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`denyhosts_initrc_domtrans', ` - gen_require(` - type denyhosts_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an denyhosts environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# -interface(`denyhosts_admin', ` - gen_require(` - type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') - - allow $1 denyhosts_t:process { ptrace signal_perms }; - ps_process_pattern($1, denyhosts_t) - - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, denyhosts_var_log_t) - - files_search_locks($1) - admin_pattern($1, denyhosts_var_lock_t) -') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te deleted file mode 100644 index 8ba942504..000000000 --- a/policy/modules/services/denyhosts.te +++ /dev/null @@ -1,72 +0,0 @@ -policy_module(denyhosts, 1.0.0) - -######################################## -# -# DenyHosts personal declarations. -# - -type denyhosts_t; -type denyhosts_exec_t; -init_daemon_domain(denyhosts_t, denyhosts_exec_t) - -type denyhosts_initrc_exec_t; -init_script_file(denyhosts_initrc_exec_t) - -type denyhosts_var_lib_t; -files_type(denyhosts_var_lib_t) - -type denyhosts_var_lock_t; -files_lock_file(denyhosts_var_lock_t) - -type denyhosts_var_log_t; -logging_log_file(denyhosts_var_log_t) - -######################################## -# -# DenyHosts personal policy. -# - -allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; -allow denyhosts_t self:tcp_socket create_socket_perms; -allow denyhosts_t self:udp_socket create_socket_perms; - -manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) -files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file) - -manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) -manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) -files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) - -append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) -logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) - -kernel_read_system_state(denyhosts_t) - -corecmd_exec_bin(denyhosts_t) - -corenet_all_recvfrom_unlabeled(denyhosts_t) -corenet_all_recvfrom_netlabel(denyhosts_t) -corenet_tcp_sendrecv_generic_if(denyhosts_t) -corenet_tcp_sendrecv_generic_node(denyhosts_t) -corenet_tcp_bind_generic_node(denyhosts_t) -corenet_tcp_connect_smtp_port(denyhosts_t) -corenet_sendrecv_smtp_client_packets(denyhosts_t) - -dev_read_urand(denyhosts_t) - -files_read_etc_files(denyhosts_t) - -# /var/log/secure -logging_read_generic_logs(denyhosts_t) - -miscfiles_read_localization(denyhosts_t) - -sysnet_manage_config(denyhosts_t) -sysnet_etc_filetrans_config(denyhosts_t) - -optional_policy(` - cron_system_entry(denyhosts_t, denyhosts_exec_t) -') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc deleted file mode 100644 index 418a5a043..000000000 --- a/policy/modules/services/devicekit.fc +++ /dev/null @@ -1,14 +0,0 @@ -/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) -/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) - -/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) - -/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if deleted file mode 100644 index f706b994f..000000000 --- a/policy/modules/services/devicekit.if +++ /dev/null @@ -1,185 +0,0 @@ -## Devicekit modular hardware abstraction layer - -######################################## -## -## Execute a domain transition to run devicekit. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`devicekit_domtrans',` - gen_require(` - type devicekit_t, devicekit_exec_t; - ') - - domtrans_pattern($1, devicekit_exec_t, devicekit_t) -') - -######################################## -## -## Send to devicekit over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dgram_send',` - gen_require(` - type devicekit_t; - ') - - allow $1 devicekit_t:unix_dgram_socket sendto; -') - -######################################## -## -## Send and receive messages from -## devicekit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dbus_chat',` - gen_require(` - type devicekit_t; - class dbus send_msg; - ') - - allow $1 devicekit_t:dbus send_msg; - allow devicekit_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## devicekit disk over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dbus_chat_disk',` - gen_require(` - type devicekit_disk_t; - class dbus send_msg; - ') - - allow $1 devicekit_disk_t:dbus send_msg; - allow devicekit_disk_t $1:dbus send_msg; -') - -######################################## -## -## Send signal devicekit power -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_signal_power',` - gen_require(` - type devicekit_power_t; - ') - - allow $1 devicekit_power_t:process signal; -') - -######################################## -## -## Send and receive messages from -## devicekit power over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_dbus_chat_power',` - gen_require(` - type devicekit_power_t; - class dbus send_msg; - ') - - allow $1 devicekit_power_t:dbus send_msg; - allow devicekit_power_t $1:dbus send_msg; -') - -######################################## -## -## Read devicekit PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`devicekit_read_pid_files',` - gen_require(` - type devicekit_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -') - -######################################## -## -## All of the rules required to administrate -## an devicekit environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the devicekit domain. -## -## -## -## -## The type of the user terminal. -## -## -## -# -interface(`devicekit_admin',` - gen_require(` - type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; - ') - - allow $1 devicekit_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_t) - - allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_disk_t) - - allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_power_t) - - admin_pattern($1, devicekit_tmp_t) - files_search_tmp($1) - - admin_pattern($1, devicekit_var_lib_t) - files_search_var_lib($1) - - admin_pattern($1, devicekit_var_run_t) - files_search_pids($1) -') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te deleted file mode 100644 index f231f17da..000000000 --- a/policy/modules/services/devicekit.te +++ /dev/null @@ -1,284 +0,0 @@ -policy_module(devicekit, 1.1.0) - -######################################## -# -# Declarations -# - -type devicekit_t; -type devicekit_exec_t; -dbus_system_domain(devicekit_t, devicekit_exec_t) - -type devicekit_power_t; -type devicekit_power_exec_t; -dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) - -type devicekit_disk_t; -type devicekit_disk_exec_t; -dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) - -type devicekit_tmp_t; -files_tmp_file(devicekit_tmp_t) - -type devicekit_var_run_t; -files_pid_file(devicekit_var_run_t) - -type devicekit_var_lib_t; -files_type(devicekit_var_lib_t) - -######################################## -# -# DeviceKit local policy -# - -allow devicekit_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir }) - -kernel_read_system_state(devicekit_t) - -dev_read_sysfs(devicekit_t) -dev_read_urand(devicekit_t) - -files_read_etc_files(devicekit_t) - -miscfiles_read_localization(devicekit_t) - -optional_policy(` - dbus_system_bus_client(devicekit_t) - - allow devicekit_t devicekit_disk_t:dbus send_msg; - allow devicekit_t devicekit_power_t:dbus send_msg; -') - -optional_policy(` - udev_read_db(devicekit_t) -') - -######################################## -# -# DeviceKit disk local policy -# - -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -allow devicekit_disk_t self:process { getsched signal_perms }; -allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; -allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) - -manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) - -manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) - -kernel_getattr_message_if(devicekit_disk_t) -kernel_read_fs_sysctls(devicekit_disk_t) -kernel_read_network_state(devicekit_disk_t) -kernel_read_software_raid_state(devicekit_disk_t) -kernel_read_system_state(devicekit_disk_t) -kernel_request_load_module(devicekit_disk_t) -kernel_setsched(devicekit_disk_t) - -corecmd_exec_bin(devicekit_disk_t) -corecmd_exec_shell(devicekit_disk_t) -corecmd_getattr_all_executables(devicekit_disk_t) - -dev_rw_sysfs(devicekit_disk_t) -dev_read_urand(devicekit_disk_t) -dev_getattr_usbfs_dirs(devicekit_disk_t) -dev_manage_generic_files(devicekit_disk_t) -dev_getattr_all_chr_files(devicekit_disk_t) -dev_getattr_mtrr_dev(devicekit_disk_t) - -domain_getattr_all_pipes(devicekit_disk_t) -domain_getattr_all_sockets(devicekit_disk_t) -domain_getattr_all_stream_sockets(devicekit_disk_t) -domain_read_all_domains_state(devicekit_disk_t) - -files_dontaudit_read_all_symlinks(devicekit_disk_t) -files_getattr_all_sockets(devicekit_disk_t) -files_getattr_all_mountpoints(devicekit_disk_t) -files_getattr_all_files(devicekit_disk_t) -files_manage_isid_type_dirs(devicekit_disk_t) -files_manage_mnt_dirs(devicekit_disk_t) -files_read_etc_files(devicekit_disk_t) -files_read_etc_runtime_files(devicekit_disk_t) -files_read_usr_files(devicekit_disk_t) - -fs_list_inotifyfs(devicekit_disk_t) -fs_manage_fusefs_dirs(devicekit_disk_t) -fs_mount_all_fs(devicekit_disk_t) -fs_unmount_all_fs(devicekit_disk_t) -fs_search_all(devicekit_disk_t) - -mls_file_read_all_levels(devicekit_disk_t) -mls_file_write_to_clearance(devicekit_disk_t) - -storage_raw_read_fixed_disk(devicekit_disk_t) -storage_raw_write_fixed_disk(devicekit_disk_t) -storage_raw_read_removable_device(devicekit_disk_t) -storage_raw_write_removable_device(devicekit_disk_t) - -term_use_all_terms(devicekit_disk_t) - -auth_use_nsswitch(devicekit_disk_t) - -miscfiles_read_localization(devicekit_disk_t) - -userdom_read_all_users_state(devicekit_disk_t) -userdom_search_user_home_dirs(devicekit_disk_t) - -optional_policy(` - dbus_system_bus_client(devicekit_disk_t) - - allow devicekit_disk_t devicekit_t:dbus send_msg; - - optional_policy(` - consolekit_dbus_chat(devicekit_disk_t) - ') -') - -optional_policy(` - fstools_domtrans(devicekit_disk_t) -') - -optional_policy(` - lvm_domtrans(devicekit_disk_t) -') - -optional_policy(` - mount_domtrans(devicekit_disk_t) -') - -optional_policy(` - policykit_dbus_chat(devicekit_disk_t) - policykit_domtrans_auth(devicekit_disk_t) - policykit_read_lib(devicekit_disk_t) - policykit_read_reload(devicekit_disk_t) -') - -optional_policy(` - raid_domtrans_mdadm(devicekit_disk_t) -') - -optional_policy(` - udev_domtrans(devicekit_disk_t) - udev_read_db(devicekit_disk_t) -') - -optional_policy(` - virt_manage_images(devicekit_disk_t) -') - -######################################## -# -# DeviceKit-Power local policy -# - -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process getsched; -allow devicekit_power_t self:fifo_file rw_fifo_file_perms; -allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) - -kernel_read_network_state(devicekit_power_t) -kernel_read_system_state(devicekit_power_t) -kernel_rw_hotplug_sysctls(devicekit_power_t) -kernel_rw_kernel_sysctl(devicekit_power_t) -kernel_search_debugfs(devicekit_power_t) -kernel_write_proc_files(devicekit_power_t) - -corecmd_exec_bin(devicekit_power_t) -corecmd_exec_shell(devicekit_power_t) - -consoletype_exec(devicekit_power_t) - -domain_read_all_domains_state(devicekit_power_t) - -dev_read_input(devicekit_power_t) -dev_rw_generic_usb_dev(devicekit_power_t) -dev_rw_generic_chr_files(devicekit_power_t) -dev_rw_netcontrol(devicekit_power_t) -dev_rw_sysfs(devicekit_power_t) - -files_read_kernel_img(devicekit_power_t) -files_read_etc_files(devicekit_power_t) -files_read_usr_files(devicekit_power_t) - -fs_list_inotifyfs(devicekit_power_t) - -term_use_all_terms(devicekit_power_t) - -auth_use_nsswitch(devicekit_power_t) - -miscfiles_read_localization(devicekit_power_t) - -sysnet_read_config(devicekit_power_t) -sysnet_domtrans_ifconfig(devicekit_power_t) - -userdom_read_all_users_state(devicekit_power_t) - -optional_policy(` - bootloader_domtrans(devicekit_power_t) -') - -optional_policy(` - cron_initrc_domtrans(devicekit_power_t) -') - -optional_policy(` - dbus_system_bus_client(devicekit_power_t) - - allow devicekit_power_t devicekit_t:dbus send_msg; - - optional_policy(` - consolekit_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - networkmanager_dbus_chat(devicekit_power_t) - ') - - optional_policy(` - rpm_dbus_chat(devicekit_power_t) - ') -') - -optional_policy(` - fstools_domtrans(devicekit_power_t) -') - -optional_policy(` - hal_domtrans_mac(devicekit_power_t) - hal_manage_log(devicekit_power_t) - hal_manage_pid_dirs(devicekit_power_t) - hal_manage_pid_files(devicekit_power_t) - hal_dbus_chat(devicekit_power_t) -') - -optional_policy(` - policykit_dbus_chat(devicekit_power_t) - policykit_domtrans_auth(devicekit_power_t) - policykit_read_lib(devicekit_power_t) - policykit_read_reload(devicekit_power_t) -') - -optional_policy(` - udev_read_db(devicekit_power_t) -') - -optional_policy(` - vbetool_domtrans(devicekit_power_t) -') diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc deleted file mode 100644 index 767e0c794..000000000 --- a/policy/modules/services/dhcp.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) - -/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - -/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) -/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) - -/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if deleted file mode 100644 index 5e2cea828..000000000 --- a/policy/modules/services/dhcp.if +++ /dev/null @@ -1,99 +0,0 @@ -## Dynamic host configuration protocol (DHCP) server - -######################################## -## -## Transition to dhcpd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dhcpd_domtrans',` - gen_require(` - type dhcpd_t, dhcpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) -') - -######################################## -## -## Set the attributes of the DCHP -## server state files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dhcpd_setattr_state_files',` - gen_require(` - type dhcpd_state_t; - ') - - sysnet_search_dhcp_state($1) - allow $1 dhcpd_state_t:file setattr; -') - -######################################## -## -## Execute dhcp server in the dhcp domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`dhcpd_initrc_domtrans',` - gen_require(` - type dhcpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an dhcp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dhcp domain. -## -## -## -# -interface(`dhcpd_admin',` - gen_require(` - type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; - ') - - allow $1 dhcpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dhcpd_t) - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dhcpd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, dhcpd_tmp_t) - - admin_pattern($1, dhcpd_state_t) - - files_list_pids($1) - admin_pattern($1, dhcpd_var_run_t) -') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te deleted file mode 100644 index d4424ad7f..000000000 --- a/policy/modules/services/dhcp.te +++ /dev/null @@ -1,124 +0,0 @@ -policy_module(dhcp, 1.9.0) - -######################################## -# -# Declarations -# - -type dhcpd_t; -type dhcpd_exec_t; -init_daemon_domain(dhcpd_t, dhcpd_exec_t) - -type dhcpd_initrc_exec_t; -init_script_file(dhcpd_initrc_exec_t) - -type dhcpd_state_t; -files_type(dhcpd_state_t) - -type dhcpd_tmp_t; -files_tmp_file(dhcpd_tmp_t) - -type dhcpd_var_run_t; -files_pid_file(dhcpd_var_run_t) - -######################################## -# -# Local policy -# - -allow dhcpd_t self:capability { net_raw sys_resource }; -dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; -allow dhcpd_t self:process signal_perms; -allow dhcpd_t self:fifo_file rw_fifo_file_perms; -allow dhcpd_t self:unix_dgram_socket create_socket_perms; -allow dhcpd_t self:unix_stream_socket create_socket_perms; -allow dhcpd_t self:tcp_socket create_stream_socket_perms; -allow dhcpd_t self:udp_socket create_socket_perms; -# Allow dhcpd_t to use packet sockets -allow dhcpd_t self:packet_socket create_socket_perms; -allow dhcpd_t self:rawip_socket create_socket_perms; - -can_exec(dhcpd_t, dhcpd_exec_t) - -manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) -sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) - -manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) -manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) -files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) - -manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) -files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) - -kernel_read_system_state(dhcpd_t) -kernel_read_kernel_sysctls(dhcpd_t) -kernel_read_network_state(dhcpd_t) - -corenet_all_recvfrom_unlabeled(dhcpd_t) -corenet_all_recvfrom_netlabel(dhcpd_t) -corenet_tcp_sendrecv_generic_if(dhcpd_t) -corenet_udp_sendrecv_generic_if(dhcpd_t) -corenet_raw_sendrecv_generic_if(dhcpd_t) -corenet_tcp_sendrecv_generic_node(dhcpd_t) -corenet_udp_sendrecv_generic_node(dhcpd_t) -corenet_raw_sendrecv_generic_node(dhcpd_t) -corenet_tcp_sendrecv_all_ports(dhcpd_t) -corenet_udp_sendrecv_all_ports(dhcpd_t) -corenet_tcp_bind_generic_node(dhcpd_t) -corenet_udp_bind_generic_node(dhcpd_t) -corenet_tcp_bind_dhcpd_port(dhcpd_t) -corenet_udp_bind_dhcpd_port(dhcpd_t) -corenet_udp_bind_pxe_port(dhcpd_t) -corenet_tcp_connect_all_ports(dhcpd_t) -corenet_sendrecv_dhcpd_server_packets(dhcpd_t) -corenet_sendrecv_pxe_server_packets(dhcpd_t) -corenet_sendrecv_all_client_packets(dhcpd_t) - -dev_read_sysfs(dhcpd_t) -dev_read_rand(dhcpd_t) -dev_read_urand(dhcpd_t) - -fs_getattr_all_fs(dhcpd_t) -fs_search_auto_mountpoints(dhcpd_t) - -corecmd_exec_bin(dhcpd_t) - -domain_use_interactive_fds(dhcpd_t) - -files_read_etc_files(dhcpd_t) -files_read_usr_files(dhcpd_t) -files_read_etc_runtime_files(dhcpd_t) -files_search_var_lib(dhcpd_t) - -auth_use_nsswitch(dhcpd_t) - -logging_send_syslog_msg(dhcpd_t) - -miscfiles_read_localization(dhcpd_t) - -sysnet_read_dhcp_config(dhcpd_t) - -userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -userdom_dontaudit_search_user_home_dirs(dhcpd_t) - -ifdef(`distro_gentoo',` - allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; -') - -optional_policy(` - # used for dynamic DNS - bind_read_dnssec_keys(dhcpd_t) -') - -optional_policy(` - dbus_system_bus_client(dhcpd_t) - dbus_connect_system_bus(dhcpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(dhcpd_t) -') - -optional_policy(` - udev_read_db(dhcpd_t) -') diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc deleted file mode 100644 index 54f88c87b..000000000 --- a/policy/modules/services/dictd.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) - -/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) - -/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) - -/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) - -/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if deleted file mode 100644 index a0d23ce1a..000000000 --- a/policy/modules/services/dictd.if +++ /dev/null @@ -1,57 +0,0 @@ -## Dictionary daemon - -######################################## -## -## Use dictionary services by connecting -## over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`dictd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an dictd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dictd domain. -## -## -## -# -interface(`dictd_admin',` - gen_require(` - type dictd_t, dictd_etc_t, dictd_var_lib_t; - type dictd_var_run_t, dictd_initrc_exec_t; - ') - - allow $1 dictd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dictd_t) - - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dictd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, dictd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, dictd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, dictd_var_run_t) -') diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te deleted file mode 100644 index d2d935943..000000000 --- a/policy/modules/services/dictd.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(dictd, 1.7.0) - -######################################## -# -# Declarations -# - -type dictd_t; -type dictd_exec_t; -init_daemon_domain(dictd_t, dictd_exec_t) - -type dictd_etc_t; -files_config_file(dictd_etc_t) - -type dictd_initrc_exec_t; -init_script_file(dictd_initrc_exec_t) - -type dictd_var_lib_t alias var_lib_dictd_t; -files_type(dictd_var_lib_t) - -type dictd_var_run_t; -files_pid_file(dictd_var_run_t) - -######################################## -# -# Local policy -# - -allow dictd_t self:capability { setuid setgid }; -dontaudit dictd_t self:capability sys_tty_config; -allow dictd_t self:process { signal_perms setpgid }; -allow dictd_t self:unix_stream_socket create_stream_socket_perms; -allow dictd_t self:tcp_socket create_stream_socket_perms; -allow dictd_t self:udp_socket create_socket_perms; - -allow dictd_t dictd_etc_t:file read_file_perms; -files_search_etc(dictd_t) - -allow dictd_t dictd_var_lib_t:dir list_dir_perms; -allow dictd_t dictd_var_lib_t:file read_file_perms; - -manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) -files_pid_filetrans(dictd_t, dictd_var_run_t, file) - -kernel_read_system_state(dictd_t) -kernel_read_kernel_sysctls(dictd_t) - -corenet_all_recvfrom_unlabeled(dictd_t) -corenet_all_recvfrom_netlabel(dictd_t) -corenet_tcp_sendrecv_generic_if(dictd_t) -corenet_raw_sendrecv_generic_if(dictd_t) -corenet_udp_sendrecv_generic_if(dictd_t) -corenet_tcp_sendrecv_generic_node(dictd_t) -corenet_udp_sendrecv_generic_node(dictd_t) -corenet_raw_sendrecv_generic_node(dictd_t) -corenet_tcp_sendrecv_all_ports(dictd_t) -corenet_udp_sendrecv_all_ports(dictd_t) -corenet_tcp_bind_generic_node(dictd_t) -corenet_tcp_bind_dict_port(dictd_t) -corenet_sendrecv_dict_server_packets(dictd_t) - -dev_read_sysfs(dictd_t) - -fs_getattr_xattr_fs(dictd_t) -fs_search_auto_mountpoints(dictd_t) - -domain_use_interactive_fds(dictd_t) - -files_read_etc_files(dictd_t) -files_read_etc_runtime_files(dictd_t) -files_read_usr_files(dictd_t) -files_search_var_lib(dictd_t) -# for checking for nscd -files_dontaudit_search_pids(dictd_t) - -logging_send_syslog_msg(dictd_t) - -miscfiles_read_localization(dictd_t) - -sysnet_read_config(dictd_t) - -userdom_dontaudit_use_unpriv_user_fds(dictd_t) - -optional_policy(` - nis_use_ypbind(dictd_t) -') - -optional_policy(` - nscd_socket_use(dictd_t) -') - -optional_policy(` - seutil_sigchld_newrole(dictd_t) -') - -optional_policy(` - udev_read_db(dictd_t) -') diff --git a/policy/modules/services/distcc.fc b/policy/modules/services/distcc.fc deleted file mode 100644 index 6ce6b006f..000000000 --- a/policy/modules/services/distcc.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0) diff --git a/policy/modules/services/distcc.if b/policy/modules/services/distcc.if deleted file mode 100644 index 926e9595f..000000000 --- a/policy/modules/services/distcc.if +++ /dev/null @@ -1 +0,0 @@ -## Distributed compiler daemon diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te deleted file mode 100644 index 54d93e8f4..000000000 --- a/policy/modules/services/distcc.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(distcc, 1.8.0) - -######################################## -# -# Declarations -# - -type distccd_t; -type distccd_exec_t; -init_daemon_domain(distccd_t, distccd_exec_t) - -type distccd_log_t; -logging_log_file(distccd_log_t) - -type distccd_tmp_t; -files_tmp_file(distccd_tmp_t) - -type distccd_var_run_t; -files_pid_file(distccd_var_run_t) - -######################################## -# -# Local policy -# - -allow distccd_t self:capability { setgid setuid }; -dontaudit distccd_t self:capability sys_tty_config; -allow distccd_t self:process { signal_perms setsched }; -allow distccd_t self:fifo_file rw_fifo_file_perms; -allow distccd_t self:netlink_route_socket r_netlink_socket_perms; -allow distccd_t self:tcp_socket create_stream_socket_perms; -allow distccd_t self:udp_socket create_socket_perms; - -allow distccd_t distccd_log_t:file manage_file_perms; -logging_log_filetrans(distccd_t, distccd_log_t, file) - -manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) -manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) -files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) - -manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t) -files_pid_filetrans(distccd_t, distccd_var_run_t, file) - -kernel_read_system_state(distccd_t) -kernel_read_kernel_sysctls(distccd_t) - -corenet_all_recvfrom_unlabeled(distccd_t) -corenet_all_recvfrom_netlabel(distccd_t) -corenet_tcp_sendrecv_generic_if(distccd_t) -corenet_udp_sendrecv_generic_if(distccd_t) -corenet_tcp_sendrecv_generic_node(distccd_t) -corenet_udp_sendrecv_generic_node(distccd_t) -corenet_tcp_sendrecv_all_ports(distccd_t) -corenet_udp_sendrecv_all_ports(distccd_t) -corenet_tcp_bind_generic_node(distccd_t) -corenet_tcp_bind_distccd_port(distccd_t) -corenet_sendrecv_distccd_server_packets(distccd_t) - -dev_read_sysfs(distccd_t) - -fs_getattr_all_fs(distccd_t) -fs_search_auto_mountpoints(distccd_t) - -corecmd_exec_bin(distccd_t) -corecmd_read_bin_symlinks(distccd_t) - -domain_use_interactive_fds(distccd_t) - -files_read_etc_files(distccd_t) -files_read_etc_runtime_files(distccd_t) - -libs_exec_lib_files(distccd_t) - -logging_send_syslog_msg(distccd_t) - -miscfiles_read_localization(distccd_t) - -sysnet_read_config(distccd_t) - -userdom_dontaudit_use_unpriv_user_fds(distccd_t) -userdom_dontaudit_search_user_home_dirs(distccd_t) - -optional_policy(` - nis_use_ypbind(distccd_t) -') - -optional_policy(` - seutil_sigchld_newrole(distccd_t) -') - -optional_policy(` - udev_read_db(distccd_t) -') diff --git a/policy/modules/services/djbdns.fc b/policy/modules/services/djbdns.fc deleted file mode 100644 index fdb66525c..000000000 --- a/policy/modules/services/djbdns.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) -/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0) -/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) - -/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) -/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) -/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) - diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if deleted file mode 100644 index ade3079ba..000000000 --- a/policy/modules/services/djbdns.if +++ /dev/null @@ -1,90 +0,0 @@ -## small and secure DNS daemon - -######################################## -## -## Create a set of derived types for djbdns -## components that are directly supervised by daemontools. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`djbdns_daemontools_domain_template',` - - type djbdns_$1_t; - type djbdns_$1_exec_t; - type djbdns_$1_conf_t; - files_config_file(djbdns_$1_conf_t) - - domain_type(djbdns_$1_t) - domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) - role system_r types djbdns_$1_t; - - daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) - daemontools_read_svc(djbdns_$1_t) - - allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; - allow djbdns_$1_t self:process signal; - allow djbdns_$1_t self:fifo_file rw_fifo_file_perms; - allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; - allow djbdns_$1_t self:udp_socket create_socket_perms; - - allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; - - corenet_all_recvfrom_unlabeled(djbdns_$1_t) - corenet_all_recvfrom_netlabel(djbdns_$1_t) - corenet_tcp_sendrecv_generic_if(djbdns_$1_t) - corenet_udp_sendrecv_generic_if(djbdns_$1_t) - corenet_tcp_sendrecv_generic_node(djbdns_$1_t) - corenet_udp_sendrecv_generic_node(djbdns_$1_t) - corenet_tcp_sendrecv_all_ports(djbdns_$1_t) - corenet_udp_sendrecv_all_ports(djbdns_$1_t) - corenet_tcp_bind_generic_node(djbdns_$1_t) - corenet_udp_bind_generic_node(djbdns_$1_t) - corenet_tcp_bind_dns_port(djbdns_$1_t) - corenet_udp_bind_dns_port(djbdns_$1_t) - corenet_udp_bind_generic_port(djbdns_$1_t) - corenet_sendrecv_dns_server_packets(djbdns_$1_t) - corenet_sendrecv_generic_server_packets(djbdns_$1_t) - - files_search_var(djbdns_$1_t) -') - -##################################### -## -## Allow search the djbdns-tinydns key ring. -## -## -## -## Domain allowed access. -## -## -# -interface(`djbdns_search_tinydns_keys',` - gen_require(` - type djbdns_tinydns_t; - ') - - allow $1 djbdns_tinydns_t:key search; -') - -##################################### -## -## Allow link to the djbdns-tinydns key ring. -## -## -## -## Domain allowed access. -## -## -# -interface(`djbdns_link_tinydns_keys',` - gen_require(` - type djbdns_tinydn_t; - ') - - allow $1 djbdns_tinydn_t:key link; -') diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te deleted file mode 100644 index 03b5286db..000000000 --- a/policy/modules/services/djbdns.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(djbdns, 1.5.0) - -######################################## -# -# Declarations -# - -type djbdns_axfrdns_t; -type djbdns_axfrdns_exec_t; -domain_type(djbdns_axfrdns_t) -domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) -role system_r types djbdns_axfrdns_t; - -type djbdns_axfrdns_conf_t; -files_config_file(djbdns_axfrdns_conf_t) - -djbdns_daemontools_domain_template(dnscache) - -djbdns_daemontools_domain_template(tinydns) - -######################################## -# -# Local policy for axfrdns component -# - -daemontools_ipc_domain(djbdns_axfrdns_t) -daemontools_read_svc(djbdns_axfrdns_t) - -allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; - -allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; -allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; - -allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms; -allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms; - -allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms; -allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; - -files_search_var(djbdns_axfrdns_t) - -ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) - -######################################## -# -# Local policy for tinydns -# - -init_dontaudit_use_script_fds(djbdns_tinydns_t) diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc deleted file mode 100644 index dc1056c5d..000000000 --- a/policy/modules/services/dkim.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) - -/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) - -/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) - -/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if deleted file mode 100644 index 32d108ad3..000000000 --- a/policy/modules/services/dkim.if +++ /dev/null @@ -1 +0,0 @@ -## DomainKeys Identified Mail milter. diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te deleted file mode 100644 index 1b4983d42..000000000 --- a/policy/modules/services/dkim.te +++ /dev/null @@ -1,31 +0,0 @@ -policy_module(dkim, 1.0.0) - -######################################## -# -# Declarations -# - -milter_template(dkim) - -# Type for the private key of dkim-filter -type dkim_milter_private_key_t; -files_type(dkim_milter_private_key_t) - -######################################## -# -# Local policy -# - -allow dkim_milter_t self:capability { setgid setuid }; - -read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) - -kernel_read_kernel_sysctls(dkim_milter_t) - -dev_read_urand(dkim_milter_t) - -files_read_etc_files(dkim_milter_t) - -sysnet_dns_name_resolve(dkim_milter_t) - -mta_read_config(dkim_milter_t) diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc deleted file mode 100644 index b88667660..000000000 --- a/policy/modules/services/dnsmasq.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) -/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) - -/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) - -/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) -/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) - -/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0) - -/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if deleted file mode 100644 index 9bd812b43..000000000 --- a/policy/modules/services/dnsmasq.if +++ /dev/null @@ -1,211 +0,0 @@ -## dnsmasq DNS forwarder and DHCP server - -######################################## -## -## Execute dnsmasq server in the dnsmasq domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`dnsmasq_domtrans',` - gen_require(` - type dnsmasq_exec_t, dnsmasq_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) -') - -######################################## -## -## Execute the dnsmasq init script in the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`dnsmasq_initrc_domtrans',` - gen_require(` - type dnsmasq_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) -') - -######################################## -## -## Send dnsmasq a signal -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_signal',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signal; -') - -######################################## -## -## Send dnsmasq a signull -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_signull',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signull; -') - -######################################## -## -## Send dnsmasq a kill signal. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_kill',` - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process sigkill; -') - -######################################## -## -## Read dnsmasq config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dnsmasq_read_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - -######################################## -## -## Write to dnsmasq config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dnsmasq_write_config',` - gen_require(` - type dnsmasq_etc_t; - ') - - write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) -') - -######################################## -## -## Delete dnsmasq pid files -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_delete_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -') - -######################################## -## -## Read dnsmasq pid files -## -## -## -## Domain allowed access. -## -## -# -# -interface(`dnsmasq_read_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -') - -######################################## -## -## All of the rules required to administrate -## an dnsmasq environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dnsmasq domain. -## -## -## -# -interface(`dnsmasq_admin',` - gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t; - ') - - allow $1 dnsmasq_t:process { ptrace signal_perms }; - ps_process_pattern($1, dnsmasq_t) - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnsmasq_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, dnsmasq_lease_t) - - files_list_pids($1) - admin_pattern($1, dnsmasq_var_run_t) -') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te deleted file mode 100644 index fdaeebac8..000000000 --- a/policy/modules/services/dnsmasq.te +++ /dev/null @@ -1,117 +0,0 @@ -policy_module(dnsmasq, 1.9.0) - -######################################## -# -# Declarations -# - -type dnsmasq_t; -type dnsmasq_exec_t; -init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) - -type dnsmasq_initrc_exec_t; -init_script_file(dnsmasq_initrc_exec_t) - -type dnsmasq_etc_t; -files_config_file(dnsmasq_etc_t) - -type dnsmasq_lease_t; -files_type(dnsmasq_lease_t) - -type dnsmasq_var_log_t; -logging_log_file(dnsmasq_var_log_t) - -type dnsmasq_var_run_t; -files_pid_file(dnsmasq_var_run_t) - -######################################## -# -# Local policy -# - -allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw }; -dontaudit dnsmasq_t self:capability sys_tty_config; -allow dnsmasq_t self:process { getcap setcap signal_perms }; -allow dnsmasq_t self:fifo_file rw_fifo_file_perms; -allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; -allow dnsmasq_t self:tcp_socket create_stream_socket_perms; -allow dnsmasq_t self:udp_socket create_socket_perms; -allow dnsmasq_t self:packet_socket create_socket_perms; -allow dnsmasq_t self:rawip_socket create_socket_perms; - -read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) - -# dhcp leases -manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) -files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) - -manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) -logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) - -manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) - -kernel_read_kernel_sysctls(dnsmasq_t) -kernel_read_system_state(dnsmasq_t) - -corenet_all_recvfrom_unlabeled(dnsmasq_t) -corenet_all_recvfrom_netlabel(dnsmasq_t) -corenet_tcp_sendrecv_generic_if(dnsmasq_t) -corenet_udp_sendrecv_generic_if(dnsmasq_t) -corenet_raw_sendrecv_generic_if(dnsmasq_t) -corenet_tcp_sendrecv_generic_node(dnsmasq_t) -corenet_udp_sendrecv_generic_node(dnsmasq_t) -corenet_raw_sendrecv_generic_node(dnsmasq_t) -corenet_tcp_sendrecv_all_ports(dnsmasq_t) -corenet_udp_sendrecv_all_ports(dnsmasq_t) -corenet_tcp_bind_generic_node(dnsmasq_t) -corenet_udp_bind_generic_node(dnsmasq_t) -corenet_tcp_bind_dns_port(dnsmasq_t) -corenet_udp_bind_all_ports(dnsmasq_t) -corenet_sendrecv_dns_server_packets(dnsmasq_t) -corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) - -dev_read_sysfs(dnsmasq_t) -dev_read_urand(dnsmasq_t) - -domain_use_interactive_fds(dnsmasq_t) - -files_read_etc_files(dnsmasq_t) -files_read_etc_runtime_files(dnsmasq_t) - -fs_getattr_all_fs(dnsmasq_t) -fs_search_auto_mountpoints(dnsmasq_t) - -auth_use_nsswitch(dnsmasq_t) - -logging_send_syslog_msg(dnsmasq_t) - -miscfiles_read_localization(dnsmasq_t) - -userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) -userdom_dontaudit_search_user_home_dirs(dnsmasq_t) - -optional_policy(` - cobbler_read_lib_files(dnsmasq_t) -') - -optional_policy(` - dbus_system_bus_client(dnsmasq_t) -') - -optional_policy(` - seutil_sigchld_newrole(dnsmasq_t) -') - -optional_policy(` - tftp_read_content(dnsmasq_t) -') - -optional_policy(` - udev_read_db(dnsmasq_t) -') - -optional_policy(` - virt_manage_lib_files(dnsmasq_t) - virt_read_pid_files(dnsmasq_t) -') diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc deleted file mode 100644 index bfc880b6b..000000000 --- a/policy/modules/services/dovecot.fc +++ /dev/null @@ -1,43 +0,0 @@ - -# -# /etc -# -/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - -/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) - -/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) - -ifdef(`distro_debian', ` -/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -') - -ifdef(`distro_redhat', ` -/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -') - -# -# /var -# -/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - -/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - -/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) -/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) - -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if deleted file mode 100644 index e1d7dc5ae..000000000 --- a/policy/modules/services/dovecot.if +++ /dev/null @@ -1,130 +0,0 @@ -## Dovecot POP and IMAP mail server - -######################################## -## -## Connect to dovecot auth unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`dovecot_stream_connect_auth',` - gen_require(` - type dovecot_auth_t, dovecot_var_run_t; - ') - - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) -') - -######################################## -## -## Execute dovecot_deliver in the dovecot_deliver domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`dovecot_domtrans_deliver',` - gen_require(` - type dovecot_deliver_t, dovecot_deliver_exec_t; - ') - - domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) -') - -######################################## -## -## Create, read, write, and delete the dovecot spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dovecot_manage_spool',` - gen_require(` - type dovecot_spool_t; - ') - - manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) - manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) -') - -######################################## -## -## Do not audit attempts to delete dovecot lib files. -## -## -## -## Domain to not audit. -## -## -# -interface(`dovecot_dontaudit_unlink_lib_files',` - gen_require(` - type dovecot_var_lib_t; - ') - - dontaudit $1 dovecot_var_lib_t:file unlink; -') - -######################################## -## -## All of the rules required to administrate -## an dovecot environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the dovecot domain. -## -## -## -# -interface(`dovecot_admin',` - gen_require(` - type dovecot_t, dovecot_etc_t, dovecot_log_t; - type dovecot_spool_t, dovecot_var_lib_t; - type dovecot_var_run_t; - - type dovecot_cert_t, dovecot_passwd_t; - type dovecot_initrc_exec_t; - ') - - allow $1 dovecot_t:process { ptrace signal_perms }; - ps_process_pattern($1, dovecot_t) - - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dovecot_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, dovecot_etc_t) - - logging_list_logs($1) - admin_pattern($1, dovecot_log_t) - - files_list_spool($1) - admin_pattern($1, dovecot_spool_t) - - files_list_var_lib($1) - admin_pattern($1, dovecot_var_lib_t) - - files_list_pids($1) - admin_pattern($1, dovecot_var_run_t) - - admin_pattern($1, dovecot_cert_t) - - admin_pattern($1, dovecot_passwd_t) -') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te deleted file mode 100644 index bc0481371..000000000 --- a/policy/modules/services/dovecot.te +++ /dev/null @@ -1,306 +0,0 @@ -policy_module(dovecot, 1.13.0) - -######################################## -# -# Declarations -# -type dovecot_t; -type dovecot_exec_t; -init_daemon_domain(dovecot_t, dovecot_exec_t) - -type dovecot_auth_t; -type dovecot_auth_exec_t; -domain_type(dovecot_auth_t) -domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) -role system_r types dovecot_auth_t; - -type dovecot_auth_tmp_t; -files_tmp_file(dovecot_auth_tmp_t) - -type dovecot_cert_t; -files_type(dovecot_cert_t) - -type dovecot_deliver_t; -type dovecot_deliver_exec_t; -domain_type(dovecot_deliver_t) -domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) -role system_r types dovecot_deliver_t; - -type dovecot_etc_t; -files_config_file(dovecot_etc_t) - -type dovecot_initrc_exec_t; -init_script_file(dovecot_initrc_exec_t) - -type dovecot_passwd_t; -files_type(dovecot_passwd_t) - -type dovecot_spool_t; -files_type(dovecot_spool_t) - -type dovecot_tmp_t; -files_tmp_file(dovecot_tmp_t) - -# /var/lib/dovecot holds SSL parameters file -type dovecot_var_lib_t; -files_type(dovecot_var_lib_t) - -type dovecot_var_log_t; -logging_log_file(dovecot_var_log_t) - -type dovecot_var_run_t; -files_pid_file(dovecot_var_run_t) - -######################################## -# -# dovecot local policy -# - -allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; -dontaudit dovecot_t self:capability sys_tty_config; -allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; -allow dovecot_t self:fifo_file rw_fifo_file_perms; -allow dovecot_t self:tcp_socket create_stream_socket_perms; -allow dovecot_t self:unix_dgram_socket create_socket_perms; -allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) - -allow dovecot_t dovecot_auth_t:process signal; - -allow dovecot_t dovecot_cert_t:dir list_dir_perms; -read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) - -allow dovecot_t dovecot_etc_t:file read_file_perms; -files_search_etc(dovecot_t) - -can_exec(dovecot_t, dovecot_exec_t) - -manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) -manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) -files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) - -# Allow dovecot to create and read SSL parameters file -manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) -files_search_var_lib(dovecot_t) -files_read_var_symlinks(dovecot_t) - -manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) - -manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - -manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) - -kernel_read_kernel_sysctls(dovecot_t) -kernel_read_system_state(dovecot_t) - -corenet_all_recvfrom_unlabeled(dovecot_t) -corenet_all_recvfrom_netlabel(dovecot_t) -corenet_tcp_sendrecv_generic_if(dovecot_t) -corenet_tcp_sendrecv_generic_node(dovecot_t) -corenet_tcp_sendrecv_all_ports(dovecot_t) -corenet_tcp_bind_generic_node(dovecot_t) -corenet_tcp_bind_mail_port(dovecot_t) -corenet_tcp_bind_pop_port(dovecot_t) -corenet_tcp_bind_sieve_port(dovecot_t) -corenet_tcp_connect_all_ports(dovecot_t) -corenet_tcp_connect_postgresql_port(dovecot_t) -corenet_sendrecv_pop_server_packets(dovecot_t) -corenet_sendrecv_all_client_packets(dovecot_t) - -dev_read_sysfs(dovecot_t) -dev_read_urand(dovecot_t) - -fs_getattr_all_fs(dovecot_t) -fs_getattr_all_dirs(dovecot_t) -fs_search_auto_mountpoints(dovecot_t) -fs_list_inotifyfs(dovecot_t) - -corecmd_exec_bin(dovecot_t) - -domain_use_interactive_fds(dovecot_t) - -files_read_etc_files(dovecot_t) -files_search_spool(dovecot_t) -files_search_tmp(dovecot_t) -files_dontaudit_list_default(dovecot_t) -# Dovecot now has quota support and it uses getmntent() to find the mountpoints. -files_read_etc_runtime_files(dovecot_t) -files_search_all_mountpoints(dovecot_t) - -init_getattr_utmp(dovecot_t) - -auth_use_nsswitch(dovecot_t) - -logging_send_syslog_msg(dovecot_t) - -miscfiles_read_generic_certs(dovecot_t) -miscfiles_read_localization(dovecot_t) - -userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_manage_user_home_content_dirs(dovecot_t) -userdom_manage_user_home_content_files(dovecot_t) -userdom_manage_user_home_content_symlinks(dovecot_t) -userdom_manage_user_home_content_pipes(dovecot_t) -userdom_manage_user_home_content_sockets(dovecot_t) -userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) - -mta_manage_spool(dovecot_t) - -optional_policy(` - kerberos_keytab_template(dovecot, dovecot_t) -') - -optional_policy(` - postgresql_stream_connect(dovecot_t) -') - -optional_policy(` - seutil_sigchld_newrole(dovecot_t) -') - -optional_policy(` - squid_dontaudit_search_cache(dovecot_t) -') - -optional_policy(` - udev_read_db(dovecot_t) -') - -######################################## -# -# dovecot auth local policy -# - -allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; -allow dovecot_auth_t self:process { signal_perms getcap setcap }; -allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; -allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; - -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - -read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) - -manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) - -allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; -manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -dovecot_stream_connect_auth(dovecot_auth_t) - -kernel_read_all_sysctls(dovecot_auth_t) -kernel_read_system_state(dovecot_auth_t) - -logging_send_audit_msgs(dovecot_auth_t) -logging_send_syslog_msg(dovecot_auth_t) - -dev_read_urand(dovecot_auth_t) - -auth_domtrans_chk_passwd(dovecot_auth_t) -auth_use_nsswitch(dovecot_auth_t) - -files_read_etc_files(dovecot_auth_t) -files_read_etc_runtime_files(dovecot_auth_t) -files_search_pids(dovecot_auth_t) -files_read_usr_files(dovecot_auth_t) -files_read_usr_symlinks(dovecot_auth_t) -files_read_var_lib_files(dovecot_auth_t) -files_search_tmp(dovecot_auth_t) -files_read_var_lib_files(dovecot_t) - -init_rw_utmp(dovecot_auth_t) - -miscfiles_read_localization(dovecot_auth_t) - -seutil_dontaudit_search_config(dovecot_auth_t) - -optional_policy(` - kerberos_use(dovecot_auth_t) - - # for gssapi (kerberos) - userdom_list_user_tmp(dovecot_auth_t) - userdom_read_user_tmp_files(dovecot_auth_t) - userdom_read_user_tmp_symlinks(dovecot_auth_t) -') - -optional_policy(` - mysql_search_db(dovecot_auth_t) - mysql_stream_connect(dovecot_auth_t) -') - -optional_policy(` - nis_authenticate(dovecot_auth_t) -') - -optional_policy(` - postfix_search_spool(dovecot_auth_t) -') - -######################################## -# -# dovecot deliver local policy -# -allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; - -allow dovecot_deliver_t dovecot_t:process signull; - -allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; -allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; - -kernel_read_all_sysctls(dovecot_deliver_t) -kernel_read_system_state(dovecot_deliver_t) - -files_read_etc_files(dovecot_deliver_t) -files_read_etc_runtime_files(dovecot_deliver_t) - -auth_use_nsswitch(dovecot_deliver_t) - -logging_send_syslog_msg(dovecot_deliver_t) -logging_search_logs(dovecot_auth_t) - -miscfiles_read_localization(dovecot_deliver_t) - -dovecot_stream_connect_auth(dovecot_deliver_t) - -files_search_tmp(dovecot_deliver_t) - -fs_getattr_all_fs(dovecot_deliver_t) - -userdom_manage_user_home_content_dirs(dovecot_deliver_t) -userdom_manage_user_home_content_files(dovecot_deliver_t) -userdom_manage_user_home_content_symlinks(dovecot_deliver_t) -userdom_manage_user_home_content_pipes(dovecot_deliver_t) -userdom_manage_user_home_content_sockets(dovecot_deliver_t) -userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_deliver_t) - fs_manage_nfs_files(dovecot_deliver_t) - fs_manage_nfs_symlinks(dovecot_deliver_t) - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_deliver_t) - fs_manage_cifs_files(dovecot_deliver_t) - fs_manage_cifs_symlinks(dovecot_deliver_t) - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) - fs_manage_cifs_symlinks(dovecot_t) -') - -optional_policy(` - mta_manage_spool(dovecot_deliver_t) -') diff --git a/policy/modules/services/entropyd.fc b/policy/modules/services/entropyd.fc deleted file mode 100644 index d2d8ce348..000000000 --- a/policy/modules/services/entropyd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# -# /usr -# -/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) -/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) - -/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) -/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/policy/modules/services/entropyd.if b/policy/modules/services/entropyd.if deleted file mode 100644 index 67906f01f..000000000 --- a/policy/modules/services/entropyd.if +++ /dev/null @@ -1 +0,0 @@ -## Generate entropy from audio input diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te deleted file mode 100644 index b6ac808a4..000000000 --- a/policy/modules/services/entropyd.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(entropyd, 1.7.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow the use of the audio devices as the source for the entropy feeds -##

-## -gen_tunable(entropyd_use_audio, false) - -type entropyd_t; -type entropyd_exec_t; -init_daemon_domain(entropyd_t, entropyd_exec_t) - -type entropyd_var_run_t; -files_pid_file(entropyd_var_run_t) - -######################################## -# -# Local policy -# - -allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; -dontaudit entropyd_t self:capability sys_tty_config; -allow entropyd_t self:process signal_perms; -allow entropyd_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) -files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) - -kernel_rw_kernel_sysctl(entropyd_t) -kernel_list_proc(entropyd_t) -kernel_read_proc_symlinks(entropyd_t) - -dev_read_sysfs(entropyd_t) -dev_read_urand(entropyd_t) -dev_write_urand(entropyd_t) -dev_read_rand(entropyd_t) -dev_write_rand(entropyd_t) - -files_read_etc_files(entropyd_t) -files_read_usr_files(entropyd_t) - -fs_getattr_all_fs(entropyd_t) -fs_search_auto_mountpoints(entropyd_t) - -domain_use_interactive_fds(entropyd_t) - -logging_send_syslog_msg(entropyd_t) - -miscfiles_read_localization(entropyd_t) - -userdom_dontaudit_use_unpriv_user_fds(entropyd_t) -userdom_dontaudit_search_user_home_dirs(entropyd_t) - -tunable_policy(`entropyd_use_audio',` - dev_read_sound(entropyd_t) - # set sound card parameters such as sample format, number of channels - # and sample rate. - dev_write_sound(entropyd_t) -') - -optional_policy(` - tunable_policy(`entropyd_use_audio',` - alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(entropyd_t) -') - -optional_policy(` - udev_read_db(entropyd_t) -') diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc deleted file mode 100644 index 298f06606..000000000 --- a/policy/modules/services/exim.fc +++ /dev/null @@ -1,8 +0,0 @@ -/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) -/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) -/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) -/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) - -ifdef(`distro_debian',` -/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) -') diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if deleted file mode 100644 index 6bef7f864..000000000 --- a/policy/modules/services/exim.if +++ /dev/null @@ -1,196 +0,0 @@ -## Exim mail transfer agent - -######################################## -## -## Execute a domain transition to run exim. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`exim_domtrans',` - gen_require(` - type exim_t, exim_exec_t; - ') - - domtrans_pattern($1, exim_exec_t, exim_t) -') - -######################################## -## -## Do not audit attempts to read, -## exim tmp files -## -## -## -## Domain to not audit. -## -## -# -interface(`exim_dontaudit_read_tmp_files',` - gen_require(` - type exim_tmp_t; - ') - - dontaudit $1 exim_tmp_t:file read_file_perms; -') - -######################################## -## -## Allow domain to read, exim tmp files -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_read_tmp_files',` - gen_require(` - type exim_tmp_t; - ') - - allow $1 exim_tmp_t:file read_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Read exim PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_read_pid_files',` - gen_require(` - type exim_var_run_t; - ') - - allow $1 exim_var_run_t:file read_file_perms; - files_search_pids($1) -') - -######################################## -## -## Allow the specified domain to read exim's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`exim_read_log',` - gen_require(` - type exim_log_t; - ') - - read_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## -## Allow the specified domain to append -## exim log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_append_log',` - gen_require(` - type exim_log_t; - ') - - append_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## -## Allow the specified domain to manage exim's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`exim_manage_log',` - gen_require(` - type exim_log_t; - ') - - manage_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) -') - -######################################## -## -## Create, read, write, and delete -## exim spool dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_manage_spool_dirs',` - gen_require(` - type exim_spool_t; - ') - - manage_dirs_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) -') - -######################################## -## -## Read exim spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_read_spool_files',` - gen_require(` - type exim_spool_t; - ') - - allow $1 exim_spool_t:file read_file_perms; - allow $1 exim_spool_t:dir list_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Create, read, write, and delete -## exim spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`exim_manage_spool_files',` - gen_require(` - type exim_spool_t; - ') - - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) -') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te deleted file mode 100644 index f28f64b9f..000000000 --- a/policy/modules/services/exim.te +++ /dev/null @@ -1,203 +0,0 @@ -policy_module(exim, 1.5.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow exim to connect to databases (postgres, mysql) -##

-## -gen_tunable(exim_can_connect_db, false) - -## -##

-## Allow exim to read unprivileged user files. -##

-## -gen_tunable(exim_read_user_files, false) - -## -##

-## Allow exim to create, read, write, and delete -## unprivileged user files. -##

-## -gen_tunable(exim_manage_user_files, false) - -type exim_t; -type exim_exec_t; -init_daemon_domain(exim_t, exim_exec_t) -mta_mailserver(exim_t, exim_exec_t) -mta_mailserver_user_agent(exim_t) -application_executable_file(exim_exec_t) -mta_agent_executable(exim_exec_t) - -type exim_log_t; -logging_log_file(exim_log_t) - -type exim_spool_t; -files_type(exim_spool_t) - -type exim_tmp_t; -files_tmp_file(exim_tmp_t) - -type exim_var_run_t; -files_pid_file(exim_var_run_t) - -######################################## -# -# exim local policy -# - -allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; -allow exim_t self:process { setrlimit setpgid }; -allow exim_t self:fifo_file rw_fifo_file_perms; -allow exim_t self:unix_stream_socket create_stream_socket_perms; -allow exim_t self:tcp_socket create_stream_socket_perms; -allow exim_t self:udp_socket create_socket_perms; - -can_exec(exim_t, exim_exec_t) - -manage_files_pattern(exim_t, exim_log_t, exim_log_t) -logging_log_filetrans(exim_t, exim_log_t, { file dir }) - -manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) -manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) -manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) -files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file }) - -manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) -manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) -files_tmp_filetrans(exim_t, exim_tmp_t, { file dir }) - -manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t) -manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) -files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(exim_t) -kernel_read_network_state(exim_t) -kernel_dontaudit_read_system_state(exim_t) - -corecmd_search_bin(exim_t) - -corenet_all_recvfrom_unlabeled(exim_t) -corenet_all_recvfrom_netlabel(exim_t) -corenet_tcp_sendrecv_generic_if(exim_t) -corenet_udp_sendrecv_generic_if(exim_t) -corenet_tcp_sendrecv_generic_node(exim_t) -corenet_udp_sendrecv_generic_node(exim_t) -corenet_tcp_sendrecv_all_ports(exim_t) -corenet_tcp_bind_generic_node(exim_t) -corenet_tcp_bind_smtp_port(exim_t) -corenet_tcp_bind_amavisd_send_port(exim_t) -corenet_tcp_connect_auth_port(exim_t) -corenet_tcp_connect_smtp_port(exim_t) -corenet_tcp_connect_ldap_port(exim_t) -corenet_tcp_connect_inetd_child_port(exim_t) -# connect to spamassassin -corenet_tcp_connect_spamd_port(exim_t) - -dev_read_rand(exim_t) -dev_read_urand(exim_t) - -# Init script handling -domain_use_interactive_fds(exim_t) - -files_search_usr(exim_t) -files_search_var(exim_t) -files_read_etc_files(exim_t) -files_read_etc_runtime_files(exim_t) -files_getattr_all_mountpoints(exim_t) - -fs_getattr_xattr_fs(exim_t) -fs_list_inotifyfs(exim_t) - -auth_use_nsswitch(exim_t) - -logging_send_syslog_msg(exim_t) - -miscfiles_read_localization(exim_t) -miscfiles_read_generic_certs(exim_t) - -userdom_dontaudit_search_user_home_dirs(exim_t) - -mta_read_aliases(exim_t) -mta_read_config(exim_t) -mta_manage_spool(exim_t) -mta_mailserver_delivery(exim_t) - -tunable_policy(`exim_can_connect_db',` - corenet_tcp_connect_mysqld_port(exim_t) - corenet_sendrecv_mysqld_client_packets(exim_t) - corenet_tcp_connect_postgresql_port(exim_t) - corenet_sendrecv_postgresql_client_packets(exim_t) -') - -tunable_policy(`exim_read_user_files',` - userdom_read_user_home_content_files(exim_t) - userdom_read_user_tmp_files(exim_t) -') - -tunable_policy(`exim_manage_user_files',` - userdom_manage_user_home_content_dirs(exim_t) - userdom_read_user_tmp_files(exim_t) - userdom_write_user_tmp_files(exim_t) -') - -optional_policy(` - clamav_domtrans_clamscan(exim_t) - clamav_stream_connect(exim_t) -') - -optional_policy(` - cron_read_pipes(exim_t) - cron_rw_system_job_pipes(exim_t) -') - -optional_policy(` - cyrus_stream_connect(exim_t) -') - -optional_policy(` - kerberos_keytab_template(exim, exim_t) -') - -optional_policy(` - mailman_read_data_files(exim_t) - mailman_domtrans(exim_t) -') - -optional_policy(` - tunable_policy(`exim_can_connect_db',` - mysql_stream_connect(exim_t) - ') -') - -optional_policy(` - tunable_policy(`exim_can_connect_db',` - postgresql_stream_connect(exim_t) - ') -') - -optional_policy(` - procmail_domtrans(exim_t) -') - -optional_policy(` - sasl_connect(exim_t) -') - -optional_policy(` - # https://bugzilla.redhat.com/show_bug.cgi?id=512710 - # uses sendmail for outgoing mail and exim - # for incoming mail - sendmail_manage_tmp_files(exim_t) -') - -optional_policy(` - spamassassin_exec(exim_t) - spamassassin_exec_client(exim_t) -') diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc deleted file mode 100644 index 0de2b83b3..000000000 --- a/policy/modules/services/fail2ban.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) - -/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) -/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) - -/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) -/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if deleted file mode 100644 index f590a1ffe..000000000 --- a/policy/modules/services/fail2ban.if +++ /dev/null @@ -1,175 +0,0 @@ -## Update firewall filtering to ban IP addresses with too many password failures. - -######################################## -## -## Execute a domain transition to run fail2ban. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fail2ban_domtrans',` - gen_require(` - type fail2ban_t, fail2ban_exec_t; - ') - - domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) -') - -##################################### -## -## Connect to fail2ban over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_stream_connect',` - gen_require(` - type fail2ban_t, fail2ban_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) -') - -######################################## -## -## Read and write to an fail2ban unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_rw_stream_sockets',` - gen_require(` - type fail2ban_t; - ') - - allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; -') - -######################################## -## -## Read fail2ban lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_read_lib_files',` - gen_require(` - type fail2ban_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 fail2ban_var_lib_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to read fail2ban's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fail2ban_read_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to append -## fail2ban log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_append_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file append_file_perms; -') - -######################################## -## -## Read fail2ban PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_read_pid_files',` - gen_require(` - type fail2ban_var_run_t; - ') - - files_search_pids($1) - allow $1 fail2ban_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an fail2ban environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the fail2ban domain. -## -## -## -# -interface(`fail2ban_admin',` - gen_require(` - type fail2ban_t, fail2ban_log_t; - type fail2ban_var_run_t, fail2ban_initrc_exec_t; - ') - - allow $1 fail2ban_t:process { ptrace signal_perms }; - ps_process_pattern($1, fail2ban_t) - - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, fail2ban_log_t) - - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) -') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te deleted file mode 100644 index 2a69e5ece..000000000 --- a/policy/modules/services/fail2ban.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(fail2ban, 1.4.0) - -######################################## -# -# Declarations -# - -type fail2ban_t; -type fail2ban_exec_t; -init_daemon_domain(fail2ban_t, fail2ban_exec_t) - -type fail2ban_initrc_exec_t; -init_script_file(fail2ban_initrc_exec_t) - -# log files -type fail2ban_log_t; -logging_log_file(fail2ban_log_t) - -type fail2ban_var_lib_t; -files_type(fail2ban_var_lib_t) - -# pid files -type fail2ban_var_run_t; -files_pid_file(fail2ban_var_run_t) - -######################################## -# -# fail2ban local policy -# - -allow fail2ban_t self:capability { sys_tty_config }; -allow fail2ban_t self:process signal; -allow fail2ban_t self:fifo_file rw_fifo_file_perms; -allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow fail2ban_t self:unix_dgram_socket create_socket_perms; -allow fail2ban_t self:tcp_socket create_stream_socket_perms; - -# log files -allow fail2ban_t fail2ban_log_t:dir setattr; -manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) - -manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file }) - -# pid file -manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) - -kernel_read_system_state(fail2ban_t) - -corecmd_exec_bin(fail2ban_t) -corecmd_exec_shell(fail2ban_t) - -corenet_all_recvfrom_unlabeled(fail2ban_t) -corenet_all_recvfrom_netlabel(fail2ban_t) -corenet_tcp_sendrecv_generic_if(fail2ban_t) -corenet_tcp_sendrecv_generic_node(fail2ban_t) -corenet_tcp_sendrecv_all_ports(fail2ban_t) -corenet_tcp_connect_whois_port(fail2ban_t) -corenet_sendrecv_whois_client_packets(fail2ban_t) - -dev_read_urand(fail2ban_t) - -domain_use_interactive_fds(fail2ban_t) - -files_read_etc_files(fail2ban_t) -files_read_etc_runtime_files(fail2ban_t) -files_read_usr_files(fail2ban_t) -files_list_var(fail2ban_t) -files_search_var_lib(fail2ban_t) - -fs_list_inotifyfs(fail2ban_t) -fs_getattr_all_fs(fail2ban_t) - -auth_use_nsswitch(fail2ban_t) - -logging_read_all_logs(fail2ban_t) -logging_send_syslog_msg(fail2ban_t) - -miscfiles_read_localization(fail2ban_t) - -mta_send_mail(fail2ban_t) - -optional_policy(` - apache_read_log(fail2ban_t) -') - -optional_policy(` - ftp_read_log(fail2ban_t) -') - -optional_policy(` - iptables_domtrans(fail2ban_t) -') diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc deleted file mode 100644 index 455c62036..000000000 --- a/policy/modules/services/fetchmail.fc +++ /dev/null @@ -1,19 +0,0 @@ - -# -# /etc -# - -/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) - -# -# /usr -# - -/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0) - -# -# /var -# - -/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) -/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if deleted file mode 100644 index 6537214cb..000000000 --- a/policy/modules/services/fetchmail.if +++ /dev/null @@ -1,30 +0,0 @@ -## Remote-mail retrieval and forwarding utility - -######################################## -## -## All of the rules required to administrate -## an fetchmail environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fetchmail_admin',` - gen_require(` - type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; - type fetchmail_var_run_t; - ') - - ps_process_pattern($1, fetchmail_t) - - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) - - admin_pattern($1, fetchmail_uidl_cache_t) - - files_list_pids($1) - admin_pattern($1, fetchmail_var_run_t) -') diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te deleted file mode 100644 index 3459d9364..000000000 --- a/policy/modules/services/fetchmail.te +++ /dev/null @@ -1,104 +0,0 @@ -policy_module(fetchmail, 1.11.0) - -######################################## -# -# Declarations -# - -type fetchmail_t; -type fetchmail_exec_t; -init_daemon_domain(fetchmail_t, fetchmail_exec_t) -application_executable_file(fetchmail_exec_t) - -type fetchmail_var_run_t; -files_pid_file(fetchmail_var_run_t) - -type fetchmail_etc_t; -files_config_file(fetchmail_etc_t) - -type fetchmail_uidl_cache_t; -files_type(fetchmail_uidl_cache_t) - -######################################## -# -# Local policy -# - -dontaudit fetchmail_t self:capability sys_tty_config; -allow fetchmail_t self:process { signal_perms setrlimit }; -allow fetchmail_t self:unix_dgram_socket create_socket_perms; -allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; -allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; -allow fetchmail_t self:tcp_socket create_socket_perms; -allow fetchmail_t self:udp_socket create_socket_perms; - -allow fetchmail_t fetchmail_etc_t:file read_file_perms; - -allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; -mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) - -manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(fetchmail_t) -kernel_list_proc(fetchmail_t) -kernel_getattr_proc_files(fetchmail_t) -kernel_read_proc_symlinks(fetchmail_t) -kernel_dontaudit_read_system_state(fetchmail_t) - -#looks like it uses system command - calls uname -corecmd_exec_bin(fetchmail_t) -corecmd_exec_shell(fetchmail_t) - -corenet_all_recvfrom_unlabeled(fetchmail_t) -corenet_all_recvfrom_netlabel(fetchmail_t) -corenet_tcp_sendrecv_generic_if(fetchmail_t) -corenet_udp_sendrecv_generic_if(fetchmail_t) -corenet_tcp_sendrecv_generic_node(fetchmail_t) -corenet_udp_sendrecv_generic_node(fetchmail_t) -corenet_tcp_sendrecv_dns_port(fetchmail_t) -corenet_udp_sendrecv_dns_port(fetchmail_t) -corenet_tcp_sendrecv_pop_port(fetchmail_t) -corenet_tcp_sendrecv_smtp_port(fetchmail_t) -corenet_tcp_connect_all_ports(fetchmail_t) -corenet_sendrecv_all_client_packets(fetchmail_t) - -dev_read_sysfs(fetchmail_t) -dev_read_rand(fetchmail_t) -dev_read_urand(fetchmail_t) - -files_read_etc_files(fetchmail_t) -files_read_etc_runtime_files(fetchmail_t) -files_dontaudit_search_home(fetchmail_t) - -fs_getattr_all_fs(fetchmail_t) -fs_search_auto_mountpoints(fetchmail_t) - -domain_use_interactive_fds(fetchmail_t) - -logging_send_syslog_msg(fetchmail_t) - -miscfiles_read_localization(fetchmail_t) -miscfiles_read_generic_certs(fetchmail_t) - -sysnet_read_config(fetchmail_t) - -userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) -userdom_dontaudit_search_user_home_dirs(fetchmail_t) - -optional_policy(` - procmail_domtrans(fetchmail_t) -') - -optional_policy(` - sendmail_manage_log(fetchmail_t) -') - -optional_policy(` - seutil_sigchld_newrole(fetchmail_t) -') - -optional_policy(` - udev_read_db(fetchmail_t) -') diff --git a/policy/modules/services/finger.fc b/policy/modules/services/finger.fc deleted file mode 100644 index c86119235..000000000 --- a/policy/modules/services/finger.fc +++ /dev/null @@ -1,19 +0,0 @@ -# fingerd - -# -# /etc -# -/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) - -/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) - -# -# /usr -# -/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) -/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) - -# -# /var -# -/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if deleted file mode 100644 index b5dd671ff..000000000 --- a/policy/modules/services/finger.if +++ /dev/null @@ -1,33 +0,0 @@ -## Finger user information service. - -######################################## -## -## Execute fingerd in the fingerd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`finger_domtrans',` - gen_require(` - type fingerd_t, fingerd_exec_t; - ') - - domtrans_pattern($1, fingerd_exec_t, fingerd_t) -') - -######################################## -## -## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`finger_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te deleted file mode 100644 index 9b7036aa1..000000000 --- a/policy/modules/services/finger.te +++ /dev/null @@ -1,121 +0,0 @@ -policy_module(finger, 1.9.0) - -######################################## -# -# Declarations -# - -type fingerd_t; -type fingerd_exec_t; -init_daemon_domain(fingerd_t, fingerd_exec_t) -inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) - -type fingerd_etc_t; -files_config_file(fingerd_etc_t) - -type fingerd_log_t; -logging_log_file(fingerd_log_t) - -type fingerd_var_run_t; -files_pid_file(fingerd_var_run_t) - -######################################## -# -# Local policy -# - -allow fingerd_t self:capability { setgid setuid }; -dontaudit fingerd_t self:capability { sys_tty_config fsetid }; -allow fingerd_t self:process signal_perms; -allow fingerd_t self:fifo_file rw_fifo_file_perms; -allow fingerd_t self:tcp_socket connected_stream_socket_perms; -allow fingerd_t self:udp_socket create_socket_perms; -allow fingerd_t self:unix_dgram_socket create_socket_perms; -allow fingerd_t self:unix_stream_socket create_socket_perms; - -manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) -files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) - -allow fingerd_t fingerd_etc_t:dir list_dir_perms; -read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) -read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) - -allow fingerd_t fingerd_log_t:file manage_file_perms; -logging_log_filetrans(fingerd_t, fingerd_log_t, file) - -kernel_read_kernel_sysctls(fingerd_t) -kernel_read_system_state(fingerd_t) - -corenet_all_recvfrom_unlabeled(fingerd_t) -corenet_all_recvfrom_netlabel(fingerd_t) -corenet_tcp_sendrecv_generic_if(fingerd_t) -corenet_udp_sendrecv_generic_if(fingerd_t) -corenet_tcp_sendrecv_generic_node(fingerd_t) -corenet_udp_sendrecv_generic_node(fingerd_t) -corenet_tcp_sendrecv_all_ports(fingerd_t) -corenet_udp_sendrecv_all_ports(fingerd_t) -corenet_tcp_bind_generic_node(fingerd_t) -corenet_tcp_bind_fingerd_port(fingerd_t) - -dev_read_sysfs(fingerd_t) - -fs_getattr_all_fs(fingerd_t) -fs_search_auto_mountpoints(fingerd_t) - -term_getattr_all_ttys(fingerd_t) -term_getattr_all_ptys(fingerd_t) - -auth_read_lastlog(fingerd_t) - -corecmd_exec_bin(fingerd_t) -corecmd_exec_shell(fingerd_t) - -domain_use_interactive_fds(fingerd_t) - -files_search_home(fingerd_t) -files_read_etc_files(fingerd_t) -files_read_etc_runtime_files(fingerd_t) - -init_read_utmp(fingerd_t) -init_dontaudit_write_utmp(fingerd_t) - -logging_send_syslog_msg(fingerd_t) - -mta_getattr_spool(fingerd_t) - -sysnet_read_config(fingerd_t) - -miscfiles_read_localization(fingerd_t) - -# stop it accessing sub-directories, prevents checking a Maildir for new mail, -# have to change this when we create a type for Maildir -userdom_read_user_home_content_files(fingerd_t) -userdom_dontaudit_use_unpriv_user_fds(fingerd_t) - -optional_policy(` - cron_system_entry(fingerd_t, fingerd_exec_t) -') - -optional_policy(` - logrotate_exec(fingerd_t) -') - -optional_policy(` - nis_use_ypbind(fingerd_t) -') - -optional_policy(` - nscd_socket_use(fingerd_t) -') - -optional_policy(` - seutil_sigchld_newrole(fingerd_t) -') - -optional_policy(` - tcpd_wrapped_domain(fingerd_t, fingerd_exec_t) -') - -optional_policy(` - udev_read_db(fingerd_t) -') diff --git a/policy/modules/services/fprintd.fc b/policy/modules/services/fprintd.fc deleted file mode 100644 index a4f5fb1e9..000000000 --- a/policy/modules/services/fprintd.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) -/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if deleted file mode 100644 index ebad8c42d..000000000 --- a/policy/modules/services/fprintd.if +++ /dev/null @@ -1,41 +0,0 @@ -## DBus fingerprint reader service - -######################################## -## -## Execute a domain transition to run fprintd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fprintd_domtrans',` - gen_require(` - type fprintd_t, fprintd_exec_t; - ') - - domtrans_pattern($1, fprintd_exec_t, fprintd_t) -') - -######################################## -## -## Send and receive messages from -## fprintd over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`fprintd_dbus_chat',` - gen_require(` - type fprintd_t; - class dbus send_msg; - ') - - allow $1 fprintd_t:dbus send_msg; - allow fprintd_t $1:dbus send_msg; -') - diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te deleted file mode 100644 index 7df52c7d8..000000000 --- a/policy/modules/services/fprintd.te +++ /dev/null @@ -1,57 +0,0 @@ -policy_module(fprintd, 1.1.0) - -######################################## -# -# Declarations -# - -type fprintd_t; -type fprintd_exec_t; -dbus_system_domain(fprintd_t, fprintd_exec_t) - -type fprintd_var_lib_t; -files_type(fprintd_var_lib_t) - -######################################## -# -# Local policy -# - -allow fprintd_t self:capability sys_ptrace; -allow fprintd_t self:fifo_file rw_fifo_file_perms; -allow fprintd_t self:process { getsched signal }; - -manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file }) - -kernel_read_system_state(fprintd_t) - -corecmd_search_bin(fprintd_t) - -dev_list_usbfs(fprintd_t) -dev_rw_generic_usb_dev(fprintd_t) -dev_read_sysfs(fprintd_t) - -files_read_etc_files(fprintd_t) -files_read_usr_files(fprintd_t) - -fs_getattr_all_fs(fprintd_t) - -auth_use_nsswitch(fprintd_t) - -miscfiles_read_localization(fprintd_t) - -userdom_use_user_ptys(fprintd_t) -userdom_read_all_users_state(fprintd_t) - -optional_policy(` - consolekit_dbus_chat(fprintd_t) -') - -optional_policy(` - policykit_read_reload(fprintd_t) - policykit_read_lib(fprintd_t) - policykit_dbus_chat(fprintd_t) - policykit_domtrans_auth(fprintd_t) -') diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc deleted file mode 100644 index 69dcd2a02..000000000 --- a/policy/modules/services/ftp.fc +++ /dev/null @@ -1,31 +0,0 @@ -# -# /etc -# -/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) -/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0) - -/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - -/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - -# -# /var -# -/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) - -/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) -/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if deleted file mode 100644 index 9d3201b61..000000000 --- a/policy/modules/services/ftp.if +++ /dev/null @@ -1,206 +0,0 @@ -## File transfer protocol service - -####################################### -## -## Allow domain dyntransition to sftpd_anon domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ftp_dyntrans_anon_sftpd',` - gen_require(` - type anon_sftpd_t; - ') - - dyntrans_pattern($1, anon_sftpd_t) -') - -######################################## -## -## Use ftp by connecting over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`ftp_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read ftpd etc files -## -## -## -## Domain allowed access. -## -## -# -interface(`ftp_read_config',` - gen_require(` - type ftpd_etc_t; - ') - - files_search_etc($1) - allow $1 ftpd_etc_t:file read_file_perms; -') - -######################################## -## -## Execute FTP daemon entry point programs. -## -## -## -## Domain allowed access. -## -## -# -interface(`ftp_check_exec',` - gen_require(` - type ftpd_exec_t; - ') - - corecmd_search_bin($1) - allow $1 ftpd_exec_t:file { getattr execute }; -') - -######################################## -## -## Read FTP transfer logs -## -## -## -## Domain allowed access. -## -## -# -interface(`ftp_read_log',` - gen_require(` - type xferlog_t; - ') - - logging_search_logs($1) - allow $1 xferlog_t:file read_file_perms; -') - -######################################## -## -## Execute the ftpdctl program in the ftpdctl domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ftp_domtrans_ftpdctl',` - gen_require(` - type ftpdctl_t, ftpdctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) -') - -######################################## -## -## Execute the ftpdctl program in the ftpdctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ftpdctl domain. -## -## -## -# -interface(`ftp_run_ftpdctl',` - gen_require(` - type ftpdctl_t; - ') - - ftp_domtrans_ftpdctl($1) - role $2 types ftpdctl_t; -') - -####################################### -## -## Allow domain dyntransition to sftpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ftp_dyntrans_sftpd',` - gen_require(` - type sftpd_t; - ') - - dyntrans_pattern($1, sftpd_t) -') - -######################################## -## -## All of the rules required to administrate -## an ftp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ftp domain. -## -## -## -# -interface(`ftp_admin',` - gen_require(` - type ftpd_t, ftpdctl_t, ftpd_tmp_t; - type ftpd_etc_t, ftpd_lock_t; - type ftpd_var_run_t, xferlog_t; - type ftpd_initrc_exec_t; - ') - - allow $1 ftpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ftpd_t) - - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ftpd_initrc_exec_t system_r; - allow $2 system_r; - - ps_process_pattern($1, ftpdctl_t) - ftp_run_ftpdctl($1, $2) - - miscfiles_manage_public_files($1) - - files_list_tmp($1) - admin_pattern($1, ftpd_tmp_t) - - files_list_etc($1) - admin_pattern($1, ftpd_etc_t) - - files_list_var($1) - admin_pattern($1, ftpd_lock_t) - - files_list_pids($1) - admin_pattern($1, ftpd_var_run_t) - - logging_list_logs($1) - admin_pattern($1, xferlog_t) -') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te deleted file mode 100644 index 02ffdfb4b..000000000 --- a/policy/modules/services/ftp.te +++ /dev/null @@ -1,412 +0,0 @@ -policy_module(ftp, 1.13.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow ftp servers to upload files, used for public file -## transfer services. Directories must be labeled -## public_content_rw_t. -##

-## -gen_tunable(allow_ftpd_anon_write, false) - -## -##

-## Allow ftp servers to login to local users and -## read/write all files on the system, governed by DAC. -##

-## -gen_tunable(allow_ftpd_full_access, false) - -## -##

-## Allow ftp servers to use cifs -## used for public file transfer services. -##

-## -gen_tunable(allow_ftpd_use_cifs, false) - -## -##

-## Allow ftp servers to use nfs -## used for public file transfer services. -##

-## -gen_tunable(allow_ftpd_use_nfs, false) - -## -##

-## Allow ftp to read and write files in the user home directories -##

-## -gen_tunable(ftp_home_dir, false) - -## -##

-## Allow anon internal-sftp to upload files, used for -## public file transfer services. Directories must be labeled -## public_content_rw_t. -##

-## -gen_tunable(sftpd_anon_write, false) - -## -##

-## Allow sftp-internal to read and write files -## in the user home directories -##

-## -gen_tunable(sftpd_enable_homedirs, false) - -## -##

-## Allow sftp-internal to login to local users and -## read/write all files on the system, governed by DAC. -##

-## -gen_tunable(sftpd_full_access, false) - -type anon_sftpd_t; -typealias anon_sftpd_t alias sftpd_anon_t; -domain_type(anon_sftpd_t) -role system_r types anon_sftpd_t; - -type ftpd_t; -type ftpd_exec_t; -init_daemon_domain(ftpd_t, ftpd_exec_t) - -type ftpd_etc_t; -files_config_file(ftpd_etc_t) - -type ftpd_initrc_exec_t; -init_script_file(ftpd_initrc_exec_t) - -type ftpd_lock_t; -files_lock_file(ftpd_lock_t) - -type ftpd_tmp_t; -files_tmp_file(ftpd_tmp_t) - -type ftpd_tmpfs_t; -files_tmpfs_file(ftpd_tmpfs_t) - -type ftpd_var_run_t; -files_pid_file(ftpd_var_run_t) - -type ftpdctl_t; -type ftpdctl_exec_t; -init_system_domain(ftpdctl_t, ftpdctl_exec_t) - -type ftpdctl_tmp_t; -files_tmp_file(ftpdctl_tmp_t) - -type sftpd_t; -domain_type(sftpd_t) -role system_r types sftpd_t; - -type xferlog_t; -logging_log_file(xferlog_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# anon-sftp local policy -# - -files_read_etc_files(anon_sftpd_t) - -miscfiles_read_public_files(anon_sftpd_t) - -tunable_policy(`sftpd_anon_write',` - miscfiles_manage_public_files(anon_sftpd_t) -') - -######################################## -# -# ftpd local policy -# - -allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; -dontaudit ftpd_t self:capability sys_tty_config; -allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; -allow ftpd_t self:fifo_file rw_fifo_file_perms; -allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow ftpd_t self:unix_stream_socket create_stream_socket_perms; -allow ftpd_t self:tcp_socket create_stream_socket_perms; -allow ftpd_t self:udp_socket create_socket_perms; -allow ftpd_t self:shm create_shm_perms; -allow ftpd_t self:key manage_key_perms; - -allow ftpd_t ftpd_etc_t:file read_file_perms; - -allow ftpd_t ftpd_lock_t:file manage_file_perms; -files_lock_filetrans(ftpd_t, ftpd_lock_t, file) - -manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) - -manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) - -# proftpd requires the client side to bind a socket so that -# it can stat the socket to perform access control decisions, -# since getsockopt with SO_PEERCRED is not available on all -# proftpd-supported OSs -allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; - -# Create and modify /var/log/xferlog. -manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -logging_log_filetrans(ftpd_t, xferlog_t, file) - -kernel_read_kernel_sysctls(ftpd_t) -kernel_read_system_state(ftpd_t) -kernel_search_network_state(ftpd_t) - -dev_read_sysfs(ftpd_t) -dev_read_urand(ftpd_t) - -corecmd_exec_bin(ftpd_t) - -corenet_all_recvfrom_unlabeled(ftpd_t) -corenet_all_recvfrom_netlabel(ftpd_t) -corenet_tcp_sendrecv_generic_if(ftpd_t) -corenet_udp_sendrecv_generic_if(ftpd_t) -corenet_tcp_sendrecv_generic_node(ftpd_t) -corenet_udp_sendrecv_generic_node(ftpd_t) -corenet_tcp_sendrecv_all_ports(ftpd_t) -corenet_udp_sendrecv_all_ports(ftpd_t) -corenet_tcp_bind_generic_node(ftpd_t) -corenet_tcp_bind_ftp_port(ftpd_t) -corenet_tcp_bind_ftp_data_port(ftpd_t) -corenet_tcp_bind_generic_port(ftpd_t) -corenet_tcp_bind_all_unreserved_ports(ftpd_t) -corenet_dontaudit_tcp_bind_all_ports(ftpd_t) -corenet_tcp_connect_all_ports(ftpd_t) -corenet_sendrecv_ftp_server_packets(ftpd_t) - -domain_use_interactive_fds(ftpd_t) - -files_search_etc(ftpd_t) -files_read_etc_files(ftpd_t) -files_read_etc_runtime_files(ftpd_t) -files_search_var_lib(ftpd_t) - -fs_search_auto_mountpoints(ftpd_t) -fs_getattr_all_fs(ftpd_t) -fs_search_fusefs(ftpd_t) - -auth_use_nsswitch(ftpd_t) -auth_domtrans_chk_passwd(ftpd_t) -# Append to /var/log/wtmp. -auth_append_login_records(ftpd_t) -#kerberized ftp requires the following -auth_write_login_records(ftpd_t) -auth_rw_faillog(ftpd_t) - -init_rw_utmp(ftpd_t) - -logging_send_audit_msgs(ftpd_t) -logging_send_syslog_msg(ftpd_t) -logging_set_loginuid(ftpd_t) - -miscfiles_read_localization(ftpd_t) -miscfiles_read_public_files(ftpd_t) - -seutil_dontaudit_search_config(ftpd_t) - -sysnet_read_config(ftpd_t) -sysnet_use_ldap(ftpd_t) - -userdom_dontaudit_use_unpriv_user_fds(ftpd_t) -userdom_dontaudit_search_user_home_dirs(ftpd_t) - -tunable_policy(`allow_ftpd_anon_write',` - miscfiles_manage_public_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_cifs',` - fs_read_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` - fs_manage_cifs_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_nfs',` - fs_read_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') - -tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` - fs_manage_nfs_files(ftpd_t) -') - -tunable_policy(`allow_ftpd_full_access',` - allow ftpd_t self:capability { dac_override dac_read_search }; - auth_manage_all_files_except_auth_files(ftpd_t) -') - -tunable_policy(`ftp_home_dir',` - allow ftpd_t self:capability { dac_override dac_read_search }; - - # allow access to /home - files_list_home(ftpd_t) - userdom_read_user_home_content_files(ftpd_t) - userdom_manage_user_home_content_dirs(ftpd_t) - userdom_manage_user_home_content_files(ftpd_t) - userdom_manage_user_home_content_symlinks(ftpd_t) - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) -') - -tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` - fs_manage_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') - -tunable_policy(`ftp_home_dir && use_samba_home_dirs',` - fs_manage_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) -') - -optional_policy(` - tunable_policy(`ftp_home_dir',` - apache_search_sys_content(ftpd_t) - ') -') - -optional_policy(` - corecmd_exec_shell(ftpd_t) - - files_read_usr_files(ftpd_t) - - cron_system_entry(ftpd_t, ftpd_exec_t) - - optional_policy(` - logrotate_exec(ftpd_t) - ') -') - -optional_policy(` - daemontools_service_domain(ftpd_t, ftpd_exec_t) -') - -optional_policy(` - selinux_validate_context(ftpd_t) - - kerberos_keytab_template(ftpd, ftpd_t) - kerberos_manage_host_rcache(ftpd_t) -') - -optional_policy(` - inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) - - optional_policy(` - tcpd_domtrans(tcpd_t) - ') -') - -optional_policy(` - dbus_system_bus_client(ftpd_t) - - optional_policy(` - oddjob_dbus_chat(ftpd_t) - oddjob_domtrans_mkhomedir(ftpd_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(ftpd_t) -') - -optional_policy(` - udev_read_db(ftpd_t) -') - -######################################## -# -# ftpdctl local policy -# - -# Allow ftpdctl to talk to ftpd over a socket connection -stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) - -# ftpdctl creates a socket so that the daemon can perform -# access control decisions (see comments in ftpd_t rules above) -allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; -files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) - -# Allow ftpdctl to read config files -files_read_etc_files(ftpdctl_t) - -userdom_use_user_terminals(ftpdctl_t) - -######################################## -# -# sftpd local policy -# - -files_read_etc_files(sftpd_t) - -# allow read access to /home by default -userdom_read_user_home_content_files(sftpd_t) -userdom_read_user_home_content_symlinks(sftpd_t) - -tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; - - # allow access to /home - files_list_home(sftpd_t) - userdom_manage_user_home_content_files(sftpd_t) - userdom_manage_user_home_content_dirs(sftpd_t) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) -') - -tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` - fs_manage_nfs_dirs(sftpd_t) - fs_manage_nfs_files(sftpd_t) - fs_manage_nfs_symlinks(sftpd_t) -') - -tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` - fs_manage_cifs_dirs(sftpd_t) - fs_manage_cifs_files(sftpd_t) - fs_manage_cifs_symlinks(sftpd_t) -') - -tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) - auth_manage_all_files_except_auth_files(sftpd_t) -') - -tunable_policy(`use_samba_home_dirs',` - # allow read access to /home by default - fs_list_cifs(sftpd_t) - fs_read_cifs_files(sftpd_t) - fs_read_cifs_symlinks(sftpd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - # allow read access to /home by default - fs_list_nfs(sftpd_t) - fs_read_nfs_files(sftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') diff --git a/policy/modules/services/gatekeeper.fc b/policy/modules/services/gatekeeper.fc deleted file mode 100644 index d6ef0255f..000000000 --- a/policy/modules/services/gatekeeper.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0) - -/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) -/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0) - -/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0) -/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) -/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) diff --git a/policy/modules/services/gatekeeper.if b/policy/modules/services/gatekeeper.if deleted file mode 100644 index 311cb0619..000000000 --- a/policy/modules/services/gatekeeper.if +++ /dev/null @@ -1 +0,0 @@ -## OpenH.323 Voice-Over-IP Gatekeeper diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te deleted file mode 100644 index 99a94de5f..000000000 --- a/policy/modules/services/gatekeeper.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(gatekeeper, 1.7.0) - -######################################## -# -# Declarations -# - -type gatekeeper_t; -type gatekeeper_exec_t; -init_daemon_domain(gatekeeper_t, gatekeeper_exec_t) - -type gatekeeper_etc_t; -files_config_file(gatekeeper_etc_t) - -type gatekeeper_log_t; -logging_log_file(gatekeeper_log_t) - -# for stupid symlinks -type gatekeeper_tmp_t; -files_tmp_file(gatekeeper_tmp_t) - -type gatekeeper_var_run_t; -files_pid_file(gatekeeper_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit gatekeeper_t self:capability sys_tty_config; -allow gatekeeper_t self:process { setsched signal_perms }; -allow gatekeeper_t self:fifo_file rw_fifo_file_perms; -allow gatekeeper_t self:tcp_socket create_stream_socket_perms; -allow gatekeeper_t self:udp_socket create_socket_perms; - -allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; -allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; -files_search_etc(gatekeeper_t) - -manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t) -logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir }) - -manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) -manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) -files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir }) - -manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) -files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file) - -kernel_read_system_state(gatekeeper_t) -kernel_read_kernel_sysctls(gatekeeper_t) - -corecmd_list_bin(gatekeeper_t) - -corenet_all_recvfrom_unlabeled(gatekeeper_t) -corenet_all_recvfrom_netlabel(gatekeeper_t) -corenet_tcp_sendrecv_generic_if(gatekeeper_t) -corenet_udp_sendrecv_generic_if(gatekeeper_t) -corenet_tcp_sendrecv_generic_node(gatekeeper_t) -corenet_udp_sendrecv_generic_node(gatekeeper_t) -corenet_tcp_sendrecv_all_ports(gatekeeper_t) -corenet_udp_sendrecv_all_ports(gatekeeper_t) -corenet_tcp_bind_generic_node(gatekeeper_t) -corenet_udp_bind_generic_node(gatekeeper_t) -corenet_tcp_bind_gatekeeper_port(gatekeeper_t) -corenet_udp_bind_gatekeeper_port(gatekeeper_t) -corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t) - -dev_read_sysfs(gatekeeper_t) -# for SSP -dev_read_urand(gatekeeper_t) - -domain_use_interactive_fds(gatekeeper_t) - -files_read_etc_files(gatekeeper_t) - -fs_getattr_all_fs(gatekeeper_t) -fs_search_auto_mountpoints(gatekeeper_t) - -logging_send_syslog_msg(gatekeeper_t) - -miscfiles_read_localization(gatekeeper_t) - -sysnet_read_config(gatekeeper_t) - -userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) -userdom_dontaudit_search_user_home_dirs(gatekeeper_t) - -optional_policy(` - nis_use_ypbind(gatekeeper_t) -') - -optional_policy(` - seutil_sigchld_newrole(gatekeeper_t) -') - -optional_policy(` - udev_read_db(gatekeeper_t) -') diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc deleted file mode 100644 index 13e72a7ad..000000000 --- a/policy/modules/services/git.fc +++ /dev/null @@ -1,11 +0,0 @@ -HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) - -/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) - -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) - -/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) - -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if deleted file mode 100644 index b0242d92d..000000000 --- a/policy/modules/services/git.if +++ /dev/null @@ -1,50 +0,0 @@ -## GIT revision control system. - -######################################## -## -## Role access for Git session. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# -template(`git_role',` - gen_require(` - type git_session_t, gitd_exec_t, git_user_content_t; - ') - - ######################################## - # - # Declarations - # - - role $1 types git_session_t; - - ######################################## - # - # Policy - # - - manage_dirs_pattern($2, git_user_content_t, git_user_content_t) - relabel_dirs_pattern($2, git_user_content_t, git_user_content_t) - - exec_files_pattern($2, git_user_content_t, git_user_content_t) - manage_files_pattern($2, git_user_content_t, git_user_content_t) - relabel_files_pattern($2, git_user_content_t, git_user_content_t) - - allow $2 git_session_t:process { ptrace signal_perms }; - ps_process_pattern($2, git_session_t) - - tunable_policy(`git_session_users',` - domtrans_pattern($2, gitd_exec_t, git_session_t) - ',` - can_exec($2, gitd_exec_t) - ') -') diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te deleted file mode 100644 index c05bec349..000000000 --- a/policy/modules/services/git.te +++ /dev/null @@ -1,227 +0,0 @@ -policy_module(git, 1.0.1) - -######################################## -# -# Declarations -# - -## -##

-## Determine whether Git CGI -## can search home directories. -##

-## -gen_tunable(git_cgi_enable_homedirs, false) - -## -##

-## Determine whether Git CGI -## can access cifs file systems. -##

-## -gen_tunable(git_cgi_use_cifs, false) - -## -##

-## Determine whether Git CGI -## can access nfs file systems. -##

-## -gen_tunable(git_cgi_use_nfs, false) - -## -##

-## Determine whether calling user domains -## can execute Git daemon in the -## git_session_t domain. -##

-## -gen_tunable(git_session_users, false) - -## -##

-## Determine whether Git session daemons -## can send syslog messages. -##

-## -gen_tunable(git_session_send_syslog_msg, false) - -## -##

-## Determine whether Git system daemon -## can search home directories. -##

-## -gen_tunable(git_system_enable_homedirs, false) - -## -##

-## Determine whether Git system daemon -## can access cifs file systems. -##

-## -gen_tunable(git_system_use_cifs, false) - -## -##

-## Determine whether Git system daemon -## can access nfs file systems. -##

-## -gen_tunable(git_system_use_nfs, false) - -attribute git_daemon; - -apache_content_template(git) - -type git_system_t, git_daemon; -type gitd_exec_t; -inetd_service_domain(git_system_t, gitd_exec_t) - -type git_session_t, git_daemon; -application_domain(git_session_t, gitd_exec_t) -ubac_constrained(git_session_t) - -type git_sys_content_t; -files_type(git_sys_content_t) - -type git_user_content_t; -userdom_user_home_content(git_user_content_t) - -######################################## -# -# Git session policy -# - -allow git_session_t self:tcp_socket { accept listen }; - -list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) -read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) -userdom_search_user_home_dirs(git_session_t) - -corenet_all_recvfrom_netlabel(git_session_t) -corenet_all_recvfrom_unlabeled(git_session_t) -corenet_tcp_bind_generic_node(git_session_t) -corenet_tcp_sendrecv_generic_if(git_session_t) -corenet_tcp_sendrecv_generic_node(git_session_t) -corenet_tcp_sendrecv_generic_port(git_session_t) -corenet_tcp_bind_git_port(git_session_t) -corenet_tcp_sendrecv_git_port(git_session_t) -corenet_sendrecv_git_server_packets(git_session_t) - -userdom_use_user_terminals(git_session_t) - -tunable_policy(`git_session_send_syslog_msg',` - logging_send_syslog_msg(git_session_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(git_session_t) -',` - fs_dontaudit_read_nfs_files(git_session_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(git_session_t) -',` - fs_dontaudit_read_cifs_files(git_session_t) -') - -######################################## -# -# Git system policy -# - -list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) -read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) -files_search_var_lib(git_system_t) - -logging_send_syslog_msg(git_system_t) - -tunable_policy(`git_system_enable_homedirs',` - userdom_search_user_home_dirs(git_system_t) -') - -tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(git_system_t) -',` - fs_dontaudit_read_nfs_files(git_system_t) -') - -tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(git_system_t) -',` - fs_dontaudit_read_cifs_files(git_system_t) -') - -tunable_policy(`git_system_use_cifs',` - fs_read_cifs_files(git_system_t) -',` - fs_dontaudit_read_cifs_files(git_system_t) -') - -tunable_policy(`git_system_use_nfs',` - fs_read_nfs_files(git_system_t) -',` - fs_dontaudit_read_nfs_files(git_system_t) -') - -######################################## -# -# Git CGI policy -# - -list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -files_search_var_lib(httpd_git_script_t) - -files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) - -auth_use_nsswitch(httpd_git_script_t) - -tunable_policy(`git_cgi_enable_homedirs',` - userdom_search_user_home_dirs(httpd_git_script_t) -') - -tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_git_script_t) -',` - fs_dontaudit_read_nfs_files(httpd_git_script_t) -') - -tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_git_script_t) -',` - fs_dontaudit_read_cifs_files(httpd_git_script_t) -') - -tunable_policy(`git_cgi_use_cifs',` - fs_read_cifs_files(httpd_git_script_t) -',` - fs_dontaudit_read_cifs_files(httpd_git_script_t) -') - -tunable_policy(`git_cgi_use_nfs',` - fs_read_nfs_files(httpd_git_script_t) -',` - fs_dontaudit_read_nfs_files(httpd_git_script_t) -') - -######################################## -# -# Git global policy -# - -allow git_daemon self:fifo_file rw_fifo_file_perms; - -kernel_read_system_state(git_daemon) - -corecmd_exec_bin(git_daemon) - -files_read_usr_files(git_daemon) - -fs_search_auto_mountpoints(git_daemon) - -auth_use_nsswitch(git_daemon) - -miscfiles_read_localization(git_daemon) diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc deleted file mode 100644 index 462de63b4..000000000 --- a/policy/modules/services/gnomeclock.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if deleted file mode 100644 index 671d8fd25..000000000 --- a/policy/modules/services/gnomeclock.if +++ /dev/null @@ -1,65 +0,0 @@ -## Gnome clock handler for setting the time. - -######################################## -## -## Execute a domain transition to run gnomeclock. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gnomeclock_domtrans',` - gen_require(` - type gnomeclock_t, gnomeclock_exec_t; - ') - - domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) -') - -######################################## -## -## Execute gnomeclock in the gnomeclock domain, and -## allow the specified role the gnomeclock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`gnomeclock_run',` - gen_require(` - type gnomeclock_t; - ') - - gnomeclock_domtrans($1) - role $2 types gnomeclock_t; -') - -######################################## -## -## Send and receive messages from -## gnomeclock over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnomeclock_dbus_chat',` - gen_require(` - type gnomeclock_t; - class dbus send_msg; - ') - - allow $1 gnomeclock_t:dbus send_msg; - allow gnomeclock_t $1:dbus send_msg; -') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te deleted file mode 100644 index 4fde46bcf..000000000 --- a/policy/modules/services/gnomeclock.te +++ /dev/null @@ -1,46 +0,0 @@ -policy_module(gnomeclock, 1.0.0) - -######################################## -# -# Declarations -# - -type gnomeclock_t; -type gnomeclock_exec_t; -dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) - -######################################## -# -# gnomeclock local policy -# - -allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -allow gnomeclock_t self:process { getattr getsched }; -allow gnomeclock_t self:fifo_file rw_fifo_file_perms; -allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; - -corecmd_exec_bin(gnomeclock_t) - -files_read_etc_files(gnomeclock_t) -files_read_usr_files(gnomeclock_t) - -auth_use_nsswitch(gnomeclock_t) - -clock_domtrans(gnomeclock_t) - -miscfiles_read_localization(gnomeclock_t) -miscfiles_manage_localization(gnomeclock_t) -miscfiles_etc_filetrans_localization(gnomeclock_t) - -userdom_read_all_users_state(gnomeclock_t) - -optional_policy(` - consolekit_dbus_chat(gnomeclock_t) -') - -optional_policy(` - policykit_dbus_chat(gnomeclock_t) - policykit_domtrans_auth(gnomeclock_t) - policykit_read_lib(gnomeclock_t) - policykit_read_reload(gnomeclock_t) -') diff --git a/policy/modules/services/gpm.fc b/policy/modules/services/gpm.fc deleted file mode 100644 index 6fc9661ef..000000000 --- a/policy/modules/services/gpm.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0) -/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0) - -/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0) - -/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if deleted file mode 100644 index 7d9729855..000000000 --- a/policy/modules/services/gpm.if +++ /dev/null @@ -1,81 +0,0 @@ -## General Purpose Mouse driver - -######################################## -## -## Connect to GPM over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpm_stream_connect',` - gen_require(` - type gpmctl_t, gpm_t; - ') - - allow $1 gpmctl_t:sock_file rw_sock_file_perms; - allow $1 gpm_t:unix_stream_socket connectto; -') - -######################################## -## -## Get the attributes of the GPM -## control channel named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpm_getattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file getattr; -') - -######################################## -## -## Do not audit attempts to get the -## attributes of the GPM control channel -## named socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`gpm_dontaudit_getattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dontaudit $1 gpmctl_t:sock_file getattr; -') - -######################################## -## -## Set the attributes of the GPM -## control channel named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpm_setattr_gpmctl',` - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file setattr; -') diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te deleted file mode 100644 index a627b3451..000000000 --- a/policy/modules/services/gpm.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(gpm, 1.8.0) - -######################################## -# -# Declarations -# - -type gpm_t; -type gpm_exec_t; -init_daemon_domain(gpm_t, gpm_exec_t) - -type gpm_conf_t; -files_type(gpm_conf_t) - -type gpm_tmp_t; -files_tmp_file(gpm_tmp_t) - -type gpm_var_run_t; -files_pid_file(gpm_var_run_t) - -type gpmctl_t; -files_type(gpmctl_t) - -######################################## -# -# Local policy -# - -allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; -allow gpm_t self:process { getcap setcap }; -allow gpm_t self:unix_stream_socket create_stream_socket_perms; - -allow gpm_t gpm_conf_t:dir list_dir_perms; -read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) -read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t) - -manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) -manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) -files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) - -allow gpm_t gpm_var_run_t:file manage_file_perms; -files_pid_filetrans(gpm_t, gpm_var_run_t, file) - -allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; -allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file }) - -kernel_read_kernel_sysctls(gpm_t) -kernel_list_proc(gpm_t) -kernel_read_proc_symlinks(gpm_t) - -dev_read_sysfs(gpm_t) -# Access the mouse. -dev_rw_input_dev(gpm_t) -dev_rw_mouse(gpm_t) - -files_read_etc_files(gpm_t) - -fs_getattr_all_fs(gpm_t) -fs_search_auto_mountpoints(gpm_t) - -term_use_unallocated_ttys(gpm_t) - -domain_use_interactive_fds(gpm_t) - -logging_send_syslog_msg(gpm_t) - -miscfiles_read_localization(gpm_t) - -userdom_dontaudit_use_unpriv_user_fds(gpm_t) -userdom_dontaudit_search_user_home_dirs(gpm_t) - -optional_policy(` - seutil_sigchld_newrole(gpm_t) -') - -optional_policy(` - udev_read_db(gpm_t) -') diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc deleted file mode 100644 index 5e81e3345..000000000 --- a/policy/modules/services/gpsd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) - -/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) - -/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) -/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if deleted file mode 100644 index c0ee676e8..000000000 --- a/policy/modules/services/gpsd.if +++ /dev/null @@ -1,66 +0,0 @@ -## gpsd monitor daemon - -######################################## -## -## Execute a domain transition to run gpsd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`gpsd_domtrans',` - gen_require(` - type gpsd_t, gpsd_exec_t; - ') - - domtrans_pattern($1, gpsd_exec_t, gpsd_t) -') - -######################################## -## -## Execute gpsd in the gpsd domain, and -## allow the specified role the gpsd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`gpsd_run',` - gen_require(` - type gpsd_t; - ') - - gpsd_domtrans($1) - role $2 types gpsd_t; -') - -######################################## -## -## Read and write gpsd shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`gpsd_rw_shm',` - gen_require(` - type gpsd_t, gpsd_tmpfs_t; - ') - - allow $1 gpsd_t:shm rw_shm_perms; - allow $1 gpsd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - fs_search_tmpfs($1) -') diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te deleted file mode 100644 index 03742d885..000000000 --- a/policy/modules/services/gpsd.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(gpsd, 1.1.0) - -######################################## -# -# Declarations -# - -type gpsd_t; -type gpsd_exec_t; -application_domain(gpsd_t, gpsd_exec_t) -init_daemon_domain(gpsd_t, gpsd_exec_t) - -type gpsd_initrc_exec_t; -init_script_file(gpsd_initrc_exec_t) - -type gpsd_tmpfs_t; -files_tmpfs_file(gpsd_tmpfs_t) - -type gpsd_var_run_t; -files_pid_file(gpsd_var_run_t) - -######################################## -# -# gpsd local policy -# - -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config }; -allow gpsd_t self:process setsched; -allow gpsd_t self:shm create_shm_perms; -allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow gpsd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) - -manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) - -corenet_all_recvfrom_unlabeled(gpsd_t) -corenet_all_recvfrom_netlabel(gpsd_t) -corenet_tcp_sendrecv_generic_if(gpsd_t) -corenet_tcp_sendrecv_generic_node(gpsd_t) -corenet_tcp_sendrecv_all_ports(gpsd_t) -corenet_tcp_bind_all_nodes(gpsd_t) -corenet_tcp_bind_gpsd_port(gpsd_t) - -term_use_unallocated_ttys(gpsd_t) -term_setattr_unallocated_ttys(gpsd_t) - -auth_use_nsswitch(gpsd_t) - -logging_send_syslog_msg(gpsd_t) - -miscfiles_read_localization(gpsd_t) - -optional_policy(` - dbus_system_bus_client(gpsd_t) -') - -optional_policy(` - ntp_rw_shm(gpsd_t) -') diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc deleted file mode 100644 index 633c47013..000000000 --- a/policy/modules/services/hadoop.fc +++ /dev/null @@ -1,59 +0,0 @@ -/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) - -/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) -/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) -/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) -/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) - -/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) -/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) - -/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) -/etc/zookeeper\.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0) - -/usr/lib/hadoop.*/bin/hadoop -- gen_context(system_u:object_r:hadoop_exec_t,s0) - -/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t,s0) -/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t,s0) - -/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) -/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) -/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) -/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) -/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) -/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) -/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) - -/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) -/var/lock/subsys/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_lock_t,s0) -/var/lock/subsys/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_lock_t,s0) -/var/lock/subsys/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_lock_t,s0) -/var/lock/subsys/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_lock_t,s0) - -/var/log/hadoop.* gen_context(system_u:object_r:hadoop_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-datanode(-.*)? gen_context(system_u:object_r:hadoop_datanode_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-jobtracker(-.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-namenode(-.*)? gen_context(system_u:object_r:hadoop_namenode_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-secondarynamenode(-.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_log_t,s0) -/var/log/hadoop.*/hadoop-hadoop-tasktracker(-.*)? gen_context(system_u:object_r:hadoop_tasktracker_log_t,s0) -/var/log/hadoop.*/history(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) -/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t,s0) - -/var/run/hadoop.* -d gen_context(system_u:object_r:hadoop_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-datanode\.pid -- gen_context(system_u:object_r:hadoop_datanode_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-jobtracker\.pid -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-namenode\.pid -- gen_context(system_u:object_r:hadoop_namenode_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_var_run_t,s0) -/var/run/hadoop.*/hadoop-hadoop-tasktracker\.pid -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_var_run_t,s0) - -/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if deleted file mode 100644 index 2d0b4e1a8..000000000 --- a/policy/modules/services/hadoop.if +++ /dev/null @@ -1,534 +0,0 @@ -## Software for reliable, scalable, distributed computing. - -####################################### -## -## The template to define a hadoop domain. -## -## -## -## Domain prefix to be used. -## -## -# -template(`hadoop_domain_template',` - gen_require(` - attribute hadoop_domain; - type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; - type hadoop_exec_t, hadoop_hsperfdata_t; - ') - - ######################################## - # - # Shared declarations. - # - - type hadoop_$1_t, hadoop_domain; - domain_type(hadoop_$1_t) - domain_entry_file(hadoop_$1_t, hadoop_exec_t) - role system_r types hadoop_$1_t; - - type hadoop_$1_initrc_t; - type hadoop_$1_initrc_exec_t; - init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) - role system_r types hadoop_$1_initrc_t; - - type hadoop_$1_initrc_var_run_t; - files_pid_file(hadoop_$1_initrc_var_run_t) - - type hadoop_$1_lock_t; - files_lock_file(hadoop_$1_lock_t) - - type hadoop_$1_log_t; - logging_log_file(hadoop_$1_log_t) - - type hadoop_$1_tmp_t; - files_tmp_file(hadoop_$1_tmp_t) - - type hadoop_$1_var_lib_t; - files_type(hadoop_$1_var_lib_t) - - #################################### - # - # Shared hadoop_$1 policy. - # - - allow hadoop_$1_t self:capability { chown kill setgid setuid }; - allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; - allow hadoop_$1_t self:key search; - allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; - allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; - allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; - allow hadoop_$1_t self:udp_socket create_socket_perms; - dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; - - allow hadoop_$1_t hadoop_domain:process signull; - - manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) - logging_search_logs(hadoop_$1_t) - - manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) - files_search_var_lib(hadoop_$1_t) - - manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) - files_search_pids(hadoop_$1_t) - - allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; - manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) - filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) - files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir) - - kernel_read_kernel_sysctls(hadoop_$1_t) - kernel_read_sysctl(hadoop_$1_t) - kernel_read_network_state(hadoop_$1_t) - kernel_read_system_state(hadoop_$1_t) - - corecmd_exec_bin(hadoop_$1_t) - corecmd_exec_shell(hadoop_$1_t) - - corenet_all_recvfrom_unlabeled(hadoop_$1_t) - corenet_all_recvfrom_netlabel(hadoop_$1_t) - corenet_tcp_bind_all_nodes(hadoop_$1_t) - corenet_tcp_sendrecv_generic_if(hadoop_$1_t) - corenet_udp_sendrecv_generic_if(hadoop_$1_t) - corenet_tcp_sendrecv_generic_node(hadoop_$1_t) - corenet_udp_sendrecv_generic_node(hadoop_$1_t) - corenet_tcp_sendrecv_all_ports(hadoop_$1_t) - corenet_udp_bind_generic_node(hadoop_$1_t) - # Hadoop uses high ordered random ports for services - # If permanent ports are chosen, remove line below and lock down - corenet_tcp_connect_generic_port(hadoop_$1_t) - - dev_read_rand(hadoop_$1_t) - dev_read_urand(hadoop_$1_t) - dev_read_sysfs(hadoop_$1_t) - - files_read_etc_files(hadoop_$1_t) - - auth_domtrans_chkpwd(hadoop_$1_t) - - hadoop_match_lan_spd(hadoop_$1_t) - - init_read_utmp(hadoop_$1_t) - init_use_fds(hadoop_$1_t) - init_use_script_fds(hadoop_$1_t) - init_use_script_ptys(hadoop_$1_t) - - logging_send_audit_msgs(hadoop_$1_t) - logging_send_syslog_msg(hadoop_$1_t) - - miscfiles_read_localization(hadoop_$1_t) - - sysnet_read_config(hadoop_$1_t) - - hadoop_exec_config(hadoop_$1_t) - - java_exec(hadoop_$1_t) - - kerberos_use(hadoop_$1_t) - - su_exec(hadoop_$1_t) - - optional_policy(` - nscd_socket_use(hadoop_$1_t) - ') - - #################################### - # - # Shared hadoop_$1 initrc policy. - # - - allow hadoop_$1_initrc_t self:capability { setuid setgid }; - dontaudit hadoop_$1_initrc_t self:capability sys_tty_config; - allow hadoop_$1_initrc_t self:process setsched; - allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms; - - allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; - - domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) - files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) - files_search_locks(hadoop_$1_initrc_t) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) - files_search_pids(hadoop_$1_initrc_t) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) - logging_search_logs(hadoop_$1_initrc_t) - - manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t) - manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t) - - kernel_read_kernel_sysctls(hadoop_$1_initrc_t) - kernel_read_sysctl(hadoop_$1_initrc_t) - kernel_read_system_state(hadoop_$1_initrc_t) - - corecmd_exec_bin(hadoop_$1_initrc_t) - corecmd_exec_shell(hadoop_$1_initrc_t) - - files_read_etc_files(hadoop_$1_initrc_t) - files_read_usr_files(hadoop_$1_initrc_t) - - consoletype_exec(hadoop_$1_initrc_t) - - fs_getattr_xattr_fs(hadoop_$1_initrc_t) - fs_search_cgroup_dirs(hadoop_$1_initrc_t) - - term_use_generic_ptys(hadoop_$1_initrc_t) - - hadoop_exec_config(hadoop_$1_initrc_t) - - init_rw_utmp(hadoop_$1_initrc_t) - init_use_fds(hadoop_$1_initrc_t) - init_use_script_ptys(hadoop_$1_initrc_t) - - logging_send_syslog_msg(hadoop_$1_initrc_t) - logging_send_audit_msgs(hadoop_$1_initrc_t) - - miscfiles_read_localization(hadoop_$1_initrc_t) - - userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) - - optional_policy(` - nscd_socket_use(hadoop_$1_initrc_t) - ') -') - -######################################## -## -## Role access for hadoop. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -## -# -interface(`hadoop_role',` - gen_require(` - type hadoop_t; - ') - - hadoop_domtrans($2) - role $1 types hadoop_t; - - allow $2 hadoop_t:process { ptrace signal_perms }; - ps_process_pattern($2, hadoop_t) - - hadoop_domtrans_zookeeper_client($2) - role $1 types zookeeper_t; - - allow $2 zookeeper_t:process { ptrace signal_perms }; - ps_process_pattern($2, zookeeper_t) -') - -######################################## -## -## Execute hadoop in the -## hadoop domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hadoop_domtrans',` - gen_require(` - type hadoop_t, hadoop_exec_t; - ') - - domtrans_pattern($1, hadoop_exec_t, hadoop_t) -') - -######################################## -## -## Give permission to a domain to -## recvfrom hadoop_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom',` - gen_require(` - type hadoop_t; - ') - - allow $1 hadoop_t:peer recv; -') - -######################################## -## -## Execute zookeeper client in the -## zookeeper client domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hadoop_domtrans_zookeeper_client',` - gen_require(` - type zookeeper_t, zookeeper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) -') - -######################################## -## -## Give permission to a domain to -## recvfrom zookeeper_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom_zookeeper_client',` - gen_require(` - type zookeeper_t; - ') - - allow $1 zookeeper_t:peer recv; -') - -######################################## -## -## Execute zookeeper server in the -## zookeeper server domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hadoop_domtrans_zookeeper_server',` - gen_require(` - type zookeeper_server_t, zookeeper_server_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) -') - -######################################## -## -## Give permission to a domain to -## recvfrom zookeeper_server_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom_zookeeper_server',` - gen_require(` - type zookeeper_server_t; - ') - - allow $1 zookeeper_server_t:peer recv; -') - -######################################## -## -## Execute zookeeper server in the -## zookeeper domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hadoop_initrc_domtrans_zookeeper_server',` - gen_require(` - type zookeeper_server_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) -') - -######################################## -## -## Give permission to a domain to -## recvfrom hadoop_datanode_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom_datanode',` - gen_require(` - type hadoop_datanode_t; - ') - - allow $1 hadoop_datanode_t:peer recv; -') - -######################################## -## -## Give permission to a domain to read -## hadoop_etc_t -## -## -## -## Domain needing read permission -## -## -# -interface(`hadoop_read_config',` - gen_require(` - type hadoop_etc_t; - ') - - read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) - read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) -') - -######################################## -## -## Give permission to a domain to -## execute hadoop_etc_t -## -## -## -## Domain needing read and execute -## permission -## -## -# -interface(`hadoop_exec_config',` - gen_require(` - type hadoop_etc_t; - ') - - hadoop_read_config($1) - allow $1 hadoop_etc_t:file exec_file_perms; -') - -######################################## -## -## Give permission to a domain to -## recvfrom hadoop_jobtracker_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom_jobtracker',` - gen_require(` - type hadoop_jobtracker_t; - ') - - allow $1 hadoop_jobtracker_t:peer recv; -') - -######################################## -## -## Give permission to a domain to -## polmatch on hadoop_lan_t -## -## -## -## Domain needing polmatch -## permission -## -## -# -interface(`hadoop_match_lan_spd',` - gen_require(` - type hadoop_lan_t; - ') - - allow $1 hadoop_lan_t:association polmatch; -') - -######################################## -## -## Give permission to a domain to -## recvfrom hadoop_namenode_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom_namenode',` - gen_require(` - type hadoop_namenode_t; - ') - - allow $1 hadoop_namenode_t:peer recv; -') - -######################################## -## -## Give permission to a domain to -## recvfrom hadoop_secondarynamenode_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom_secondarynamenode',` - gen_require(` - type hadoop_secondarynamenode_t; - ') - - allow $1 hadoop_secondarynamenode_t:peer recv; -') - -######################################## -## -## Give permission to a domain to -## recvfrom hadoop_tasktracker_t -## -## -## -## Domain needing recvfrom -## permission -## -## -# -interface(`hadoop_recvfrom_tasktracker',` - gen_require(` - type hadoop_tasktracker_t; - ') - - allow $1 hadoop_tasktracker_t:peer recv; -') diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te deleted file mode 100644 index 241902f69..000000000 --- a/policy/modules/services/hadoop.te +++ /dev/null @@ -1,440 +0,0 @@ -policy_module(hadoop, 1.1.0) - -######################################## -# -# Declarations. -# - -attribute hadoop_domain; - -type hadoop_t; -type hadoop_exec_t; -application_domain(hadoop_t, hadoop_exec_t) -ubac_constrained(hadoop_t) - -type hadoop_etc_t; -files_config_file(hadoop_etc_t) - -type hadoop_home_t; -userdom_user_home_content(hadoop_home_t) - -type hadoop_lan_t; -corenet_spd_type(hadoop_lan_t) - -type hadoop_log_t; -logging_log_file(hadoop_log_t) - -type hadoop_tmp_t; -files_tmp_file(hadoop_tmp_t) -ubac_constrained(hadoop_tmp_t) - -type hadoop_var_lib_t; -files_type(hadoop_var_lib_t) - -type hadoop_var_run_t; -files_pid_file(hadoop_var_run_t) - -type hadoop_hsperfdata_t; -files_tmp_file(hadoop_hsperfdata_t) -ubac_constrained(hadoop_hsperfdata_t) - -hadoop_domain_template(datanode) -hadoop_domain_template(jobtracker) -hadoop_domain_template(namenode) -hadoop_domain_template(secondarynamenode) -hadoop_domain_template(tasktracker) - -type zookeeper_t; -type zookeeper_exec_t; -application_domain(zookeeper_t, zookeeper_exec_t) -ubac_constrained(zookeeper_t) - -type zookeeper_etc_t; -files_config_file(zookeeper_etc_t) - -type zookeeper_log_t; -logging_log_file(zookeeper_log_t) - -type zookeeper_server_t; -type zookeeper_server_exec_t; -init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t) - -type zookeeper_server_initrc_exec_t; -init_script_file(zookeeper_server_initrc_exec_t) - -type zookeeper_server_tmp_t; -files_tmp_file(zookeeper_server_tmp_t) - -type zookeeper_server_var_t; -files_type(zookeeper_server_var_t) - -# This will need a file context specification. -type zookeeper_server_var_run_t; -files_pid_file(zookeeper_server_var_run_t) - -type zookeeper_tmp_t; -files_tmp_file(zookeeper_tmp_t) -ubac_constrained(zookeeper_tmp_t) - -######################################## -# -# Hadoop policy. -# - -allow hadoop_t self:capability sys_resource; -allow hadoop_t self:process { getsched setsched signal signull setrlimit execmem }; -allow hadoop_t self:fifo_file rw_fifo_file_perms; -allow hadoop_t self:key write; -allow hadoop_t self:tcp_socket create_stream_socket_perms; -allow hadoop_t self:udp_socket create_socket_perms; -dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms; - -allow hadoop_t hadoop_domain:process signull; - -hadoop_match_lan_spd(hadoop_t) -allow hadoop_t self:peer recv; -hadoop_recvfrom_datanode(hadoop_t) -hadoop_recvfrom_jobtracker(hadoop_t) -hadoop_recvfrom_namenode(hadoop_t) -hadoop_recvfrom_tasktracker(hadoop_t) - -read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) -read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) -can_exec(hadoop_t, hadoop_etc_t) - -manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) -manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) -manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) -userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir }) - -allow hadoop_t hadoop_hsperfdata_t:dir manage_dir_perms; -files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir) - -manage_dirs_pattern(hadoop_t, hadoop_log_t, hadoop_log_t) - -manage_dirs_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) -manage_files_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t) -filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, { dir file }) - -manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) -manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) -files_search_var_lib(hadoop_t) - -getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t) - -kernel_read_network_state(hadoop_t) -kernel_read_system_state(hadoop_t) - -corecmd_exec_bin(hadoop_t) -corecmd_exec_shell(hadoop_t) - -corenet_all_recvfrom_unlabeled(hadoop_t) -corenet_all_recvfrom_netlabel(hadoop_t) -corenet_tcp_sendrecv_generic_if(hadoop_t) -corenet_udp_sendrecv_generic_if(hadoop_t) -corenet_tcp_sendrecv_generic_node(hadoop_t) -corenet_udp_sendrecv_generic_node(hadoop_t) -corenet_tcp_bind_generic_node(hadoop_t) -corenet_udp_bind_generic_node(hadoop_t) -corenet_tcp_sendrecv_all_ports(hadoop_t) -corenet_udp_sendrecv_all_ports(hadoop_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_t) -corenet_tcp_connect_hadoop_datanode_port(hadoop_t) -corenet_tcp_connect_portmap_port(hadoop_t) -corenet_tcp_connect_zope_port(hadoop_t) -corenet_sendrecv_hadoop_namenode_client_packets(hadoop_t) -corenet_sendrecv_portmap_client_packets(hadoop_t) -corenet_sendrecv_zope_client_packets(hadoop_t) -# Hadoop uses high ordered random ports for services -# If permanent ports are chosen, remove line below and lock down -corenet_tcp_connect_generic_port(hadoop_t) - -dev_read_rand(hadoop_t) -dev_read_sysfs(hadoop_t) -dev_read_urand(hadoop_t) - -domain_use_interactive_fds(hadoop_t) - -files_dontaudit_search_spool(hadoop_t) -files_read_etc_files(hadoop_t) -files_read_usr_files(hadoop_t) - -fs_getattr_xattr_fs(hadoop_t) - -miscfiles_read_localization(hadoop_t) - -sysnet_read_config(hadoop_t) - -userdom_use_user_terminals(hadoop_t) - -java_exec(hadoop_t) - -kerberos_use(hadoop_t) - -optional_policy(` - nis_use_ypbind(hadoop_t) -') - -optional_policy(` - nscd_socket_use(hadoop_t) -') - -######################################## -# -# Hadoop datanode policy. -# - -allow hadoop_datanode_t self:process signal; - -manage_dirs_pattern(hadoop_datanode_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_tcp_bind_hadoop_datanode_port(hadoop_datanode_t) -corenet_tcp_connect_hadoop_datanode_port(hadoop_datanode_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t) - -fs_getattr_xattr_fs(hadoop_datanode_t) - -allow hadoop_datanode_t self:peer recv; -hadoop_recvfrom_jobtracker(hadoop_datanode_t) -hadoop_recvfrom_namenode(hadoop_datanode_t) -hadoop_recvfrom(hadoop_datanode_t) -hadoop_recvfrom_tasktracker(hadoop_datanode_t) - -######################################## -# -# Hadoop jobtracker policy. -# - -create_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) -setattr_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t) - -manage_dirs_pattern(hadoop_jobtracker_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_tcp_bind_zope_port(hadoop_jobtracker_t) -corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t) - -allow hadoop_jobtracker_t self:peer recv; -hadoop_recvfrom_datanode(hadoop_jobtracker_t) -hadoop_recvfrom_namenode(hadoop_jobtracker_t) -hadoop_recvfrom(hadoop_jobtracker_t) -hadoop_recvfrom_tasktracker(hadoop_jobtracker_t) - -######################################## -# -# Hadoop namenode policy. -# - -manage_dirs_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) -manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t) - -allow hadoop_namenode_t self:peer recv; -hadoop_recvfrom_datanode(hadoop_namenode_t) -hadoop_recvfrom_jobtracker(hadoop_namenode_t) -hadoop_recvfrom(hadoop_namenode_t) -hadoop_recvfrom_secondarynamenode(hadoop_namenode_t) -hadoop_recvfrom_tasktracker(hadoop_namenode_t) - -######################################## -# -# Hadoop secondary namenode policy. -# - -manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t) - -allow hadoop_secondarynamenode_t self:peer recv; -hadoop_recvfrom_namenode(hadoop_secondarynamenode_t) - -######################################## -# -# Hadoop tasktracker policy. -# - -allow hadoop_tasktracker_t self:process signal; - -manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t) -setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) -filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) - -filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) -manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) - -manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) - -corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t) -corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) -corenet_tcp_connect_zope_port(hadoop_tasktracker_t) - -fs_getattr_xattr_fs(hadoop_tasktracker_t) - -allow hadoop_tasktracker_t self:peer recv; -hadoop_recvfrom_datanode(hadoop_tasktracker_t) -hadoop_recvfrom_jobtracker(hadoop_tasktracker_t) -hadoop_recvfrom(hadoop_tasktracker_t) -hadoop_recvfrom_namenode(hadoop_tasktracker_t) - -######################################## -# -# Hadoop zookeeper client policy. -# - -allow zookeeper_t self:process { getsched sigkill signal signull execmem }; -allow zookeeper_t self:fifo_file rw_fifo_file_perms; -allow zookeeper_t self:tcp_socket create_stream_socket_perms; -allow zookeeper_t self:udp_socket create_socket_perms; -dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms; - -hadoop_match_lan_spd(zookeeper_t) -hadoop_recvfrom_zookeeper_server(zookeeper_t) - -read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) -read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) - -can_exec(zookeeper_t, zookeeper_exec_t) - -allow zookeeper_t hadoop_hsperfdata_t:dir manage_dir_perms; -files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir) - -allow zookeeper_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; -allow zookeeper_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; -append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t) -logging_log_filetrans(zookeeper_t, zookeeper_log_t, file) - -allow zookeeper_t zookeeper_server_t:process signull; - -manage_files_pattern(zookeeper_t, zookeeper_tmp_t, zookeeper_tmp_t) -filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file) - -kernel_read_network_state(zookeeper_t) -kernel_read_system_state(zookeeper_t) - -corecmd_exec_bin(zookeeper_t) -corecmd_exec_shell(zookeeper_t) - -corenet_all_recvfrom_unlabeled(zookeeper_t) -corenet_all_recvfrom_netlabel(zookeeper_t) -corenet_tcp_sendrecv_generic_if(zookeeper_t) -corenet_udp_sendrecv_generic_if(zookeeper_t) -corenet_tcp_sendrecv_generic_node(zookeeper_t) -corenet_udp_sendrecv_generic_node(zookeeper_t) -corenet_tcp_sendrecv_all_ports(zookeeper_t) -corenet_udp_sendrecv_all_ports(zookeeper_t) -corenet_tcp_bind_generic_node(zookeeper_t) -corenet_udp_bind_generic_node(zookeeper_t) -corenet_tcp_connect_zookeeper_client_port(zookeeper_t) -corenet_sendrecv_zookeeper_client_client_packets(zookeeper_t) -# Hadoop uses high ordered random ports for services -# If permanent ports are chosen, remove line below and lock down -corenet_tcp_connect_generic_port(zookeeper_t) - -dev_read_rand(zookeeper_t) -dev_read_sysfs(zookeeper_t) -dev_read_urand(zookeeper_t) - -domain_use_interactive_fds(zookeeper_t) - -files_read_etc_files(zookeeper_t) -files_read_usr_files(zookeeper_t) - -miscfiles_read_localization(zookeeper_t) - -sysnet_read_config(zookeeper_t) - -userdom_use_user_terminals(zookeeper_t) -userdom_dontaudit_search_user_home_dirs(zookeeper_t) - -java_exec(zookeeper_t) - -optional_policy(` - nscd_socket_use(zookeeper_t) -') - -######################################## -# -# Hadoop zookeeper server policy. -# - -allow zookeeper_server_t self:capability kill; -allow zookeeper_server_t self:process { execmem getsched sigkill signal signull }; -allow zookeeper_server_t self:fifo_file rw_fifo_file_perms; -allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms; -allow zookeeper_server_t self:tcp_socket create_stream_socket_perms; -allow zookeeper_server_t self:udp_socket create_socket_perms; - -hadoop_match_lan_spd(zookeeper_server_t) -allow zookeeper_server_t self:peer recv; -hadoop_recvfrom_zookeeper_client(zookeeper_server_t) - -allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms; -files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir) - -read_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) -read_lnk_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t) - -manage_dirs_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) -manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t) -files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file }) - -allow zookeeper_server_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; -allow zookeeper_server_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; -logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file) - -manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t) -filetrans_pattern(zookeeper_server_t, hadoop_hsperfdata_t, zookeeper_server_tmp_t, file) - -manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t) -files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file) - -can_exec(zookeeper_server_t, zookeeper_server_exec_t) - -kernel_read_network_state(zookeeper_server_t) -kernel_read_system_state(zookeeper_server_t) - -corecmd_exec_bin(zookeeper_server_t) -corecmd_exec_shell(zookeeper_server_t) - -corenet_all_recvfrom_unlabeled(zookeeper_server_t) -corenet_all_recvfrom_netlabel(zookeeper_server_t) -corenet_tcp_sendrecv_generic_if(zookeeper_server_t) -corenet_udp_sendrecv_generic_if(zookeeper_server_t) -corenet_tcp_sendrecv_generic_node(zookeeper_server_t) -corenet_udp_sendrecv_generic_node(zookeeper_server_t) -corenet_tcp_sendrecv_all_ports(zookeeper_server_t) -corenet_udp_sendrecv_all_ports(zookeeper_server_t) -corenet_tcp_bind_generic_node(zookeeper_server_t) -corenet_udp_bind_generic_node(zookeeper_server_t) -corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t) -corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t) -corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t) -corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t) -corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t) -corenet_sendrecv_zookeeper_election_client_packets(zookeeper_server_t) -corenet_sendrecv_zookeeper_leader_client_packets(zookeeper_server_t) -corenet_sendrecv_zookeeper_client_server_packets(zookeeper_server_t) -corenet_sendrecv_zookeeper_election_server_packets(zookeeper_server_t) -corenet_sendrecv_zookeeper_leader_server_packets(zookeeper_server_t) -# Hadoop uses high ordered random ports for services -# If permanent ports are chosen, remove line below and lock down -corenet_tcp_connect_generic_port(zookeeper_server_t) - -dev_read_rand(zookeeper_server_t) -dev_read_sysfs(zookeeper_server_t) -dev_read_urand(zookeeper_server_t) - -files_read_etc_files(zookeeper_server_t) -files_read_usr_files(zookeeper_server_t) - -fs_getattr_xattr_fs(zookeeper_server_t) - -logging_send_syslog_msg(zookeeper_server_t) - -miscfiles_read_localization(zookeeper_server_t) - -sysnet_read_config(zookeeper_server_t) - -java_exec(zookeeper_server_t) diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc deleted file mode 100644 index c98b0df4f..000000000 --- a/policy/modules/services/hal.fc +++ /dev/null @@ -1,33 +0,0 @@ - -/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) -/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) - -/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) - -/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) -/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) -/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) -/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) -/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - -/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) - -/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - -/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) - -/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) -/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0) - -/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) - -ifdef(`distro_gentoo',` -/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) -') diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if deleted file mode 100644 index 7cf676398..000000000 --- a/policy/modules/services/hal.if +++ /dev/null @@ -1,433 +0,0 @@ -## Hardware abstraction layer - -######################################## -## -## Execute hal in the hal domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hal_domtrans',` - gen_require(` - type hald_t, hald_exec_t; - ') - - domtrans_pattern($1, hald_exec_t, hald_t) -') - -######################################## -## -## Get the attributes of a hal process. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_getattr',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process getattr; -') - -######################################## -## -## Read hal system state -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_read_state',` - gen_require(` - type hald_t; - ') - - ps_process_pattern($1, hald_t) -') - -######################################## -## -## Allow ptrace of hal domain -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_ptrace',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process ptrace; -') - -######################################## -## -## Allow domain to use file descriptors from hal. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_use_fds',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fd use; -') - -######################################## -## -## Do not audit attempts to use file descriptors from hal. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_use_fds',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fd use; -') - -######################################## -## -## Allow attempts to read and write to -## hald unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_rw_pipes',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write to -## hald unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_rw_pipes',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Send to hal over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_dgram_send',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:unix_dgram_socket sendto; -') - -######################################## -## -## Send to hal over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_stream_connect',` - gen_require(` - type hald_t; - ') - - allow $1 hald_t:unix_stream_socket connectto; -') - -######################################## -## -## Dontaudit read/write to a hal unix datagram socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_rw_dgram_sockets',` - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:unix_dgram_socket { read write }; -') - -######################################## -## -## Send a dbus message to hal. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_dbus_send',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## hal over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_dbus_chat',` - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; - allow hald_t $1:dbus send_msg; -') - -######################################## -## -## Execute hal mac in the hal mac domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hal_domtrans_mac',` - gen_require(` - type hald_mac_t, hald_mac_exec_t; - ') - - domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) -') - -######################################## -## -## Allow attempts to write the hal -## log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_write_log',` - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - allow $1 hald_log_t:file write_file_perms; -') - -######################################## -## -## Do not audit attempts to write the hal -## log files. -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_write_log',` - gen_require(` - type hald_log_t; - ') - - dontaudit $1 hald_log_t:file { append write }; -') - -######################################## -## -## Manage hald log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_manage_log',` - gen_require(` - type hald_log_t; - ') - - # log files for hald - manage_files_pattern($1, hald_log_t, hald_log_t) - logging_log_filetrans($1, hald_log_t, file) -') - -######################################## -## -## Read hald tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_read_tmp_files',` - gen_require(` - type hald_tmp_t; - ') - - allow $1 hald_tmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to read or write -## HAL libraries files -## -## -## -## Domain to not audit. -## -## -# -interface(`hal_dontaudit_append_lib_files',` - gen_require(` - type hald_var_lib_t; - ') - - dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms }; -') - -######################################## -## -## Read hald PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_read_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file read_file_perms; -') - -######################################## -## -## Read/Write hald PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_rw_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; -') - -######################################## -## -## Manage hald PID dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_manage_pid_dirs',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) -') - -######################################## -## -## Manage hald PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`hal_manage_pid_files',` - gen_require(` - type hald_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, hald_var_run_t, hald_var_run_t) -') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te deleted file mode 100644 index 24c625397..000000000 --- a/policy/modules/services/hal.te +++ /dev/null @@ -1,531 +0,0 @@ -policy_module(hal, 1.13.0) - -######################################## -# -# Declarations -# - -type hald_t; -type hald_exec_t; -init_daemon_domain(hald_t, hald_exec_t) - -type hald_acl_t; -type hald_acl_exec_t; -domain_type(hald_acl_t) -domain_entry_file(hald_acl_t, hald_acl_exec_t) -role system_r types hald_acl_t; - -type hald_cache_t; -files_pid_file(hald_cache_t) - -type hald_dccm_t; -type hald_dccm_exec_t; -domain_type(hald_dccm_t) -domain_entry_file(hald_dccm_t, hald_dccm_exec_t) -role system_r types hald_dccm_t; - -type hald_keymap_t; -type hald_keymap_exec_t; -domain_type(hald_keymap_t) -domain_entry_file(hald_keymap_t, hald_keymap_exec_t) -role system_r types hald_keymap_t; - -type hald_log_t; -logging_log_file(hald_log_t) - -type hald_mac_t; -type hald_mac_exec_t; -domain_type(hald_mac_t) -domain_entry_file(hald_mac_t, hald_mac_exec_t) -role system_r types hald_mac_t; - -type hald_sonypic_t; -type hald_sonypic_exec_t; -domain_type(hald_sonypic_t) -domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t) -role system_r types hald_sonypic_t; - -type hald_tmp_t; -files_tmp_file(hald_tmp_t) - -type hald_var_run_t; -files_pid_file(hald_var_run_t) - -type hald_var_lib_t; -files_type(hald_var_lib_t) - -######################################## -# -# Local policy -# - -# execute openvt which needs setuid -allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; -dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; -allow hald_t self:process { getsched getattr signal_perms }; -allow hald_t self:fifo_file rw_fifo_file_perms; -allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow hald_t self:unix_dgram_socket create_socket_perms; -allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; -allow hald_t self:tcp_socket create_stream_socket_perms; -allow hald_t self:udp_socket create_socket_perms; -# For backwards compatibility with older kernels -allow hald_t self:netlink_socket create_socket_perms; - -manage_files_pattern(hald_t, hald_cache_t, hald_cache_t) - -# log files for hald -manage_files_pattern(hald_t, hald_log_t, hald_log_t) -logging_log_filetrans(hald_t, hald_log_t, file) - -manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t) -manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t) -files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) - -# var/lib files for hald -manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) -manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) - -manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) - -kernel_read_system_state(hald_t) -kernel_read_network_state(hald_t) -kernel_read_software_raid_state(hald_t) -kernel_rw_kernel_sysctl(hald_t) -kernel_read_fs_sysctls(hald_t) -kernel_rw_irq_sysctls(hald_t) -kernel_rw_vm_sysctls(hald_t) -kernel_write_proc_files(hald_t) -kernel_search_network_sysctl(hald_t) -kernel_setsched(hald_t) -kernel_request_load_module(hald_t) - -auth_read_pam_console_data(hald_t) - -corecmd_exec_all_executables(hald_t) - -corenet_all_recvfrom_unlabeled(hald_t) -corenet_all_recvfrom_netlabel(hald_t) -corenet_tcp_sendrecv_generic_if(hald_t) -corenet_udp_sendrecv_generic_if(hald_t) -corenet_tcp_sendrecv_generic_node(hald_t) -corenet_udp_sendrecv_generic_node(hald_t) -corenet_tcp_sendrecv_all_ports(hald_t) -corenet_udp_sendrecv_all_ports(hald_t) - -dev_rw_usbfs(hald_t) -dev_read_rand(hald_t) -dev_read_urand(hald_t) -dev_read_input(hald_t) -dev_read_mouse(hald_t) -dev_rw_printer(hald_t) -dev_read_lvm_control(hald_t) -dev_getattr_all_chr_files(hald_t) -dev_manage_generic_chr_files(hald_t) -dev_rw_generic_usb_dev(hald_t) -dev_setattr_generic_usb_dev(hald_t) -dev_setattr_usbfs_files(hald_t) -dev_rw_power_management(hald_t) -dev_read_raw_memory(hald_t) -# hal is now execing pm-suspend -dev_rw_sysfs(hald_t) -dev_read_video_dev(hald_t) - -domain_use_interactive_fds(hald_t) -domain_read_all_domains_state(hald_t) -domain_dontaudit_ptrace_all_domains(hald_t) - -files_exec_etc_files(hald_t) -files_read_etc_files(hald_t) -files_rw_etc_runtime_files(hald_t) -files_manage_mnt_dirs(hald_t) -files_manage_mnt_files(hald_t) -files_manage_mnt_symlinks(hald_t) -files_search_var_lib(hald_t) -files_read_usr_files(hald_t) -# hal is now execing pm-suspend -files_create_boot_flag(hald_t) -files_getattr_all_dirs(hald_t) -files_getattr_all_files(hald_t) -files_read_kernel_img(hald_t) -files_rw_lock_dirs(hald_t) -files_read_generic_pids(hald_t) - -fs_getattr_all_fs(hald_t) -fs_search_all(hald_t) -fs_list_inotifyfs(hald_t) -fs_list_auto_mountpoints(hald_t) -fs_mount_dos_fs(hald_t) -fs_unmount_dos_fs(hald_t) -fs_manage_dos_files(hald_t) -fs_manage_fusefs_dirs(hald_t) -fs_rw_removable_blk_files(hald_t) - -files_getattr_all_mountpoints(hald_t) - -mls_file_read_all_levels(hald_t) - -selinux_get_fs_mount(hald_t) -selinux_validate_context(hald_t) -selinux_compute_access_vector(hald_t) -selinux_compute_create_context(hald_t) -selinux_compute_relabel_context(hald_t) -selinux_compute_user_contexts(hald_t) - -storage_raw_read_removable_device(hald_t) -storage_raw_write_removable_device(hald_t) -storage_raw_read_fixed_disk(hald_t) -storage_raw_write_fixed_disk(hald_t) - -# hal_probe_serial causes these -term_setattr_unallocated_ttys(hald_t) -term_use_unallocated_ttys(hald_t) - -auth_use_nsswitch(hald_t) - -fstools_getattr_swap_files(hald_t) - -init_domtrans_script(hald_t) -init_read_utmp(hald_t) -#hal runs shutdown, probably need a shutdown domain -init_rw_utmp(hald_t) -init_telinit(hald_t) - -libs_exec_ld_so(hald_t) -libs_exec_lib_files(hald_t) - -logging_send_audit_msgs(hald_t) -logging_send_syslog_msg(hald_t) -logging_search_logs(hald_t) - -miscfiles_read_localization(hald_t) -miscfiles_read_hwdata(hald_t) - -modutils_domtrans_insmod(hald_t) -modutils_read_module_deps(hald_t) - -seutil_read_config(hald_t) -seutil_read_default_contexts(hald_t) -seutil_read_file_contexts(hald_t) - -sysnet_read_config(hald_t) -sysnet_domtrans_dhcpc(hald_t) -sysnet_domtrans_ifconfig(hald_t) -sysnet_read_dhcp_config(hald_t) - -userdom_dontaudit_use_unpriv_user_fds(hald_t) -userdom_dontaudit_search_user_home_dirs(hald_t) - -optional_policy(` - alsa_domtrans(hald_t) - alsa_read_rw_config(hald_t) -') - -optional_policy(` - bootloader_domtrans(hald_t) -') - -optional_policy(` - # For /usr/libexec/hald-addon-acpi - # writes to /var/run/acpid.socket - apm_stream_connect(hald_t) -') - -optional_policy(` - bind_search_cache(hald_t) -') - -optional_policy(` - bluetooth_domtrans(hald_t) -') - -optional_policy(` - clock_domtrans(hald_t) -') - -optional_policy(` - cups_domtrans_config(hald_t) - cups_signal_config(hald_t) -') - -optional_policy(` - dbus_system_bus_client(hald_t) - dbus_connect_system_bus(hald_t) - - init_dbus_chat_script(hald_t) - - optional_policy(` - networkmanager_dbus_chat(hald_t) - ') -') - -optional_policy(` - # For /usr/libexec/hald-probe-smbios - dmidecode_domtrans(hald_t) -') - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(hald_t) -') - -optional_policy(` - hotplug_read_config(hald_t) -') - -optional_policy(` - lvm_domtrans(hald_t) -') - -optional_policy(` - mount_domtrans(hald_t) -') - -optional_policy(` - ntp_domtrans(hald_t) -') - -optional_policy(` - pcmcia_manage_pid(hald_t) - pcmcia_manage_pid_chr_files(hald_t) -') - -optional_policy(` - podsleuth_domtrans(hald_t) -') - -optional_policy(` - ppp_domtrans(hald_t) - ppp_read_rw_config(hald_t) -') - -optional_policy(` - policykit_dbus_chat(hald_t) - policykit_domtrans_auth(hald_t) - policykit_domtrans_resolve(hald_t) - policykit_read_lib(hald_t) - policykit_read_reload(hald_t) -') - -optional_policy(` - rpc_search_nfs_state_data(hald_t) -') - -optional_policy(` - seutil_sigchld_newrole(hald_t) -') - -optional_policy(` - udev_domtrans(hald_t) - udev_read_db(hald_t) -') - -optional_policy(` - usbmuxd_stream_connect(hald_t) -') - -optional_policy(` - updfstab_domtrans(hald_t) -') - -optional_policy(` - vbetool_domtrans(hald_t) -') - -optional_policy(` - virt_manage_images(hald_t) -') - -######################################## -# -# Hal acl local policy -# - -allow hald_acl_t self:capability { dac_override fowner sys_resource }; -allow hald_acl_t self:process { getattr signal }; -allow hald_acl_t self:fifo_file rw_fifo_file_perms; - -domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) -allow hald_t hald_acl_t:process signal; -allow hald_acl_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_acl_t) - -manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) - -corecmd_exec_bin(hald_acl_t) - -dev_getattr_all_chr_files(hald_acl_t) -dev_setattr_all_chr_files(hald_acl_t) -dev_getattr_generic_usb_dev(hald_acl_t) -dev_getattr_video_dev(hald_acl_t) -dev_setattr_video_dev(hald_acl_t) -dev_getattr_sound_dev(hald_acl_t) -dev_setattr_sound_dev(hald_acl_t) -dev_setattr_generic_usb_dev(hald_acl_t) -dev_setattr_usbfs_files(hald_acl_t) - -files_read_usr_files(hald_acl_t) -files_read_etc_files(hald_acl_t) - -fs_getattr_all_fs(hald_acl_t) - -storage_getattr_removable_dev(hald_acl_t) -storage_setattr_removable_dev(hald_acl_t) -storage_getattr_fixed_disk_dev(hald_acl_t) -storage_setattr_fixed_disk_dev(hald_acl_t) - -auth_use_nsswitch(hald_acl_t) - -logging_send_syslog_msg(hald_acl_t) - -miscfiles_read_localization(hald_acl_t) - -optional_policy(` - policykit_dbus_chat(hald_acl_t) - policykit_domtrans_auth(hald_acl_t) - policykit_read_lib(hald_acl_t) - policykit_read_reload(hald_acl_t) -') - -######################################## -# -# Local hald mac policy -# - -allow hald_mac_t self:capability { setgid setuid sys_admin }; - -domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) -allow hald_t hald_mac_t:process signal; -allow hald_mac_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_mac_t) - -write_files_pattern(hald_mac_t, hald_log_t, hald_log_t) - -kernel_read_system_state(hald_mac_t) - -dev_read_raw_memory(hald_mac_t) -dev_write_raw_memory(hald_mac_t) -dev_read_sysfs(hald_mac_t) - -files_read_usr_files(hald_mac_t) -files_read_etc_files(hald_mac_t) - -auth_use_nsswitch(hald_mac_t) - -logging_send_syslog_msg(hald_mac_t) - -miscfiles_read_localization(hald_mac_t) - -######################################## -# -# Local hald sonypic policy -# - -domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t) -allow hald_t hald_sonypic_t:process signal; -allow hald_sonypic_t hald_t:unix_stream_socket connectto; - -dev_read_video_dev(hald_sonypic_t) -dev_write_video_dev(hald_sonypic_t) - -manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_sonypic_t) - -write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) - -files_read_usr_files(hald_sonypic_t) - -miscfiles_read_localization(hald_sonypic_t) - -######################################## -# -# Hal keymap local policy -# - -domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t) -allow hald_t hald_keymap_t:process signal; -allow hald_keymap_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_keymap_t) - -write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) - -dev_rw_input_dev(hald_keymap_t) - -files_read_etc_files(hald_keymap_t) -files_read_usr_files(hald_keymap_t) - -miscfiles_read_localization(hald_keymap_t) - -######################################## -# -# Local hald dccm policy -# - -allow hald_dccm_t self:capability { chown net_bind_service }; -allow hald_dccm_t self:process getsched; -allow hald_dccm_t self:fifo_file rw_fifo_file_perms; -allow hald_dccm_t self:tcp_socket create_stream_socket_perms; -allow hald_dccm_t self:udp_socket create_socket_perms; -allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; - -domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) -allow hald_t hald_dccm_t:process signal; -allow hald_dccm_t hald_t:unix_stream_socket connectto; - -manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -files_search_var_lib(hald_dccm_t) - -manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) - -manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) -files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) - -write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) - -kernel_search_network_sysctl(hald_dccm_t) - -dev_read_urand(hald_dccm_t) - -corenet_all_recvfrom_unlabeled(hald_dccm_t) -corenet_all_recvfrom_netlabel(hald_dccm_t) -corenet_tcp_sendrecv_generic_if(hald_dccm_t) -corenet_udp_sendrecv_generic_if(hald_dccm_t) -corenet_tcp_sendrecv_generic_node(hald_dccm_t) -corenet_udp_sendrecv_generic_node(hald_dccm_t) -corenet_tcp_sendrecv_all_ports(hald_dccm_t) -corenet_udp_sendrecv_all_ports(hald_dccm_t) -corenet_tcp_bind_generic_node(hald_dccm_t) -corenet_udp_bind_generic_node(hald_dccm_t) -corenet_udp_bind_dhcpc_port(hald_dccm_t) -corenet_tcp_bind_ftp_port(hald_dccm_t) -corenet_tcp_bind_dccm_port(hald_dccm_t) - -logging_send_syslog_msg(hald_dccm_t) - -files_read_usr_files(hald_dccm_t) - -miscfiles_read_localization(hald_dccm_t) - -hal_dontaudit_rw_dgram_sockets(hald_dccm_t) - -optional_policy(` - dbus_system_bus_client(hald_dccm_t) -') diff --git a/policy/modules/services/hddtemp.fc b/policy/modules/services/hddtemp.fc deleted file mode 100644 index 16766123d..000000000 --- a/policy/modules/services/hddtemp.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) - -/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) - -/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if deleted file mode 100644 index 87b453121..000000000 --- a/policy/modules/services/hddtemp.if +++ /dev/null @@ -1,77 +0,0 @@ -## hddtemp hard disk temperature tool running as a daemon. - -####################################### -## -## Execute a domain transition to run hddtemp. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`hddtemp_domtrans',` - gen_require(` - type hddtemp_t, hddtemp_exec_t; - ') - - domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) - corecmd_search_bin($1) -') - -###################################### -## -## Execute hddtemp. -## -## -## -## Domain allowed access. -## -## -# -interface(`hddtemp_exec',` - gen_require(` - type hddtemp_exec_t; - ') - - can_exec($1, hddtemp_exec_t) - corecmd_search_bin($1) -') - -######################################## -## -## All of the rules required to -## administrate an hddtemp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`hddtemp_admin',` - gen_require(` - type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; - ') - - allow $1 hddtemp_t:process { ptrace signal_perms }; - ps_process_pattern($1, hddtemp_t) - - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hddtemp_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, hddtemp_etc_t) - files_search_etc($1) - - allow $1 hddtemp_t:dir list_dir_perms; - read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) - kernel_search_proc($1) -') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te deleted file mode 100644 index c234b3235..000000000 --- a/policy/modules/services/hddtemp.te +++ /dev/null @@ -1,49 +0,0 @@ -policy_module(hddtemp, 1.1.0) - -######################################## -# -# Declarations -# - -type hddtemp_t; -type hddtemp_exec_t; -init_daemon_domain(hddtemp_t, hddtemp_exec_t) - -type hddtemp_initrc_exec_t; -init_script_file(hddtemp_initrc_exec_t) - -type hddtemp_etc_t; -files_config_file(hddtemp_etc_t) - -######################################## -# -# hddtemp local policy -# - -allow hddtemp_t self:capability sys_rawio; -dontaudit hddtemp_t self:capability sys_admin; -allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms; -allow hddtemp_t self:tcp_socket create_stream_socket_perms; -allow hddtemp_t self:udp_socket create_socket_perms; - -allow hddtemp_t hddtemp_etc_t:file read_file_perms; - -corenet_all_recvfrom_unlabeled(hddtemp_t) -corenet_all_recvfrom_netlabel(hddtemp_t) -corenet_tcp_sendrecv_generic_if(hddtemp_t) -corenet_tcp_sendrecv_generic_node(hddtemp_t) -corenet_tcp_bind_generic_node(hddtemp_t) -corenet_tcp_sendrecv_all_ports(hddtemp_t) -corenet_tcp_bind_hddtemp_port(hddtemp_t) -corenet_sendrecv_hddtemp_server_packets(hddtemp_t) -corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) - -files_search_etc(hddtemp_t) -files_read_usr_files(hddtemp_t) - -storage_raw_read_fixed_disk(hddtemp_t) - -logging_send_syslog_msg(hddtemp_t) - -miscfiles_read_localization(hddtemp_t) - diff --git a/policy/modules/services/howl.fc b/policy/modules/services/howl.fc deleted file mode 100644 index faf9146cd..000000000 --- a/policy/modules/services/howl.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0) -/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0) - -/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) diff --git a/policy/modules/services/howl.if b/policy/modules/services/howl.if deleted file mode 100644 index 9164dd269..000000000 --- a/policy/modules/services/howl.if +++ /dev/null @@ -1,19 +0,0 @@ -## Port of Apple Rendezvous multicast DNS - -######################################## -## -## Send generic signals to howl. -## -## -## -## Domain allowed access. -## -## -# -interface(`howl_signal',` - gen_require(` - type howl_t; - ') - - allow $1 howl_t:process signal; -') diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te deleted file mode 100644 index 6ad2d3cb2..000000000 --- a/policy/modules/services/howl.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(howl, 1.9.0) - -######################################## -# -# Declarations -# - -type howl_t; -type howl_exec_t; -init_daemon_domain(howl_t, howl_exec_t) - -type howl_var_run_t; -files_pid_file(howl_var_run_t) - -######################################## -# -# Local policy -# - -allow howl_t self:capability { kill net_admin }; -dontaudit howl_t self:capability sys_tty_config; -allow howl_t self:process signal_perms; -allow howl_t self:fifo_file rw_fifo_file_perms; -allow howl_t self:tcp_socket create_stream_socket_perms; -allow howl_t self:udp_socket create_socket_perms; - -manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t) -files_pid_filetrans(howl_t, howl_var_run_t, file) - -kernel_read_network_state(howl_t) -kernel_read_kernel_sysctls(howl_t) -kernel_request_load_module(howl_t) -kernel_list_proc(howl_t) -kernel_read_proc_symlinks(howl_t) - -corenet_all_recvfrom_unlabeled(howl_t) -corenet_all_recvfrom_netlabel(howl_t) -corenet_tcp_sendrecv_generic_if(howl_t) -corenet_udp_sendrecv_generic_if(howl_t) -corenet_tcp_sendrecv_generic_node(howl_t) -corenet_udp_sendrecv_generic_node(howl_t) -corenet_tcp_sendrecv_all_ports(howl_t) -corenet_udp_sendrecv_all_ports(howl_t) -corenet_tcp_bind_generic_node(howl_t) -corenet_udp_bind_generic_node(howl_t) -corenet_tcp_bind_howl_port(howl_t) -corenet_udp_bind_howl_port(howl_t) -corenet_sendrecv_howl_server_packets(howl_t) - -dev_read_sysfs(howl_t) - -fs_getattr_all_fs(howl_t) -fs_search_auto_mountpoints(howl_t) - -domain_use_interactive_fds(howl_t) - -files_read_etc_files(howl_t) - -init_rw_utmp(howl_t) - -logging_send_syslog_msg(howl_t) - -miscfiles_read_localization(howl_t) - -sysnet_read_config(howl_t) - -userdom_dontaudit_use_unpriv_user_fds(howl_t) -userdom_dontaudit_search_user_home_dirs(howl_t) - -optional_policy(` - nis_use_ypbind(howl_t) -') - -optional_policy(` - seutil_sigchld_newrole(howl_t) -') - -optional_policy(` - udev_read_db(howl_t) -') diff --git a/policy/modules/services/i18n_input.fc b/policy/modules/services/i18n_input.fc deleted file mode 100644 index 024eb188a..000000000 --- a/policy/modules/services/i18n_input.fc +++ /dev/null @@ -1,19 +0,0 @@ -# -# /usr -# - -/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0) -/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0) - -# -# /var -# - -/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) diff --git a/policy/modules/services/i18n_input.if b/policy/modules/services/i18n_input.if deleted file mode 100644 index bc7de4ffe..000000000 --- a/policy/modules/services/i18n_input.if +++ /dev/null @@ -1,15 +0,0 @@ -## IIIMF htt server - -######################################## -## -## Use i18n_input over a TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`i18n_use',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te deleted file mode 100644 index 5fc89c4e6..000000000 --- a/policy/modules/services/i18n_input.te +++ /dev/null @@ -1,102 +0,0 @@ -policy_module(i18n_input, 1.8.0) - -######################################## -# -# Declarations -# - -type i18n_input_t; -type i18n_input_exec_t; -init_daemon_domain(i18n_input_t, i18n_input_exec_t) - -type i18n_input_var_run_t; -files_pid_file(i18n_input_var_run_t) - -######################################## -# -# i18n_input local policy -# - -allow i18n_input_t self:capability { kill setgid setuid }; -dontaudit i18n_input_t self:capability sys_tty_config; -allow i18n_input_t self:process { signal_perms setsched setpgid }; -allow i18n_input_t self:fifo_file rw_fifo_file_perms; -allow i18n_input_t self:unix_dgram_socket create_socket_perms; -allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; -allow i18n_input_t self:tcp_socket create_stream_socket_perms; -allow i18n_input_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file) - -can_exec(i18n_input_t, i18n_input_exec_t) - -kernel_read_kernel_sysctls(i18n_input_t) -kernel_read_system_state(i18n_input_t) - -corenet_all_recvfrom_unlabeled(i18n_input_t) -corenet_all_recvfrom_netlabel(i18n_input_t) -corenet_tcp_sendrecv_generic_if(i18n_input_t) -corenet_udp_sendrecv_generic_if(i18n_input_t) -corenet_tcp_sendrecv_generic_node(i18n_input_t) -corenet_udp_sendrecv_generic_node(i18n_input_t) -corenet_tcp_sendrecv_all_ports(i18n_input_t) -corenet_udp_sendrecv_all_ports(i18n_input_t) -corenet_tcp_bind_generic_node(i18n_input_t) -corenet_tcp_bind_i18n_input_port(i18n_input_t) -corenet_tcp_connect_all_ports(i18n_input_t) -corenet_sendrecv_i18n_input_server_packets(i18n_input_t) -corenet_sendrecv_all_client_packets(i18n_input_t) - -dev_read_sysfs(i18n_input_t) - -fs_getattr_all_fs(i18n_input_t) -fs_search_auto_mountpoints(i18n_input_t) - -corecmd_search_bin(i18n_input_t) -corecmd_exec_bin(i18n_input_t) - -domain_use_interactive_fds(i18n_input_t) - -files_read_etc_files(i18n_input_t) -files_read_etc_runtime_files(i18n_input_t) -files_read_usr_files(i18n_input_t) - -init_stream_connect_script(i18n_input_t) - -logging_send_syslog_msg(i18n_input_t) - -miscfiles_read_localization(i18n_input_t) - -sysnet_read_config(i18n_input_t) - -userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) -userdom_read_user_home_content_files(i18n_input_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(i18n_input_t) - fs_read_nfs_symlinks(i18n_input_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(i18n_input_t) - fs_read_cifs_symlinks(i18n_input_t) -') - -optional_policy(` - canna_stream_connect(i18n_input_t) -') - -optional_policy(` - nis_use_ypbind(i18n_input_t) -') - -optional_policy(` - seutil_sigchld_newrole(i18n_input_t) -') - -optional_policy(` - udev_read_db(i18n_input_t) -') diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc deleted file mode 100644 index a81e09008..000000000 --- a/policy/modules/services/icecast.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) - -/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0) - -/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) - -/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if deleted file mode 100644 index ecab47ab7..000000000 --- a/policy/modules/services/icecast.if +++ /dev/null @@ -1,188 +0,0 @@ -## ShoutCast compatible streaming media server - -######################################## -## -## Execute a domain transition to run icecast. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`icecast_domtrans',` - gen_require(` - type icecast_t, icecast_exec_t; - ') - - domtrans_pattern($1, icecast_exec_t, icecast_t) -') - -######################################## -## -## Allow domain signal icecast -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_signal',` - gen_require(` - type icecast_t; - ') - - allow $1 icecast_t:process signal; -') - -######################################## -## -## Execute icecast server in the icecast domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`icecast_initrc_domtrans',` - gen_require(` - type icecast_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, icecast_initrc_exec_t) -') - -######################################## -## -## Read icecast PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_read_pid_files',` - gen_require(` - type icecast_var_run_t; - ') - - files_search_pids($1) - allow $1 icecast_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage icecast pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_manage_pid_files',` - gen_require(` - type icecast_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) -') - -######################################## -## -## Allow the specified domain to read icecast's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`icecast_read_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## -## Allow the specified domain to append -## icecast log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`icecast_append_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## -## Allow domain to manage icecast log files -## -## -## -## Domain allow access. -## -## -# -interface(`icecast_manage_log',` - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, icecast_log_t, icecast_log_t) -') - -######################################## -## -## All of the rules required to administrate -## an icecast environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`icecast_admin',` - gen_require(` - type icecast_t, icecast_initrc_exec_t; - ') - - ps_process_pattern($1, icecast_t) - - # Allow icecast_t to restart the apache service - icecast_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 icecast_initrc_exec_t system_r; - allow $2 system_r; - - icecast_manage_pid_files($1) - - icecast_manage_log($1) - -') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te deleted file mode 100644 index fdb7e9aac..000000000 --- a/policy/modules/services/icecast.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(icecast, 1.1.0) - -######################################## -# -# Declarations -# - -type icecast_t; -type icecast_exec_t; -init_daemon_domain(icecast_t, icecast_exec_t) - -type icecast_initrc_exec_t; -init_script_file(icecast_initrc_exec_t) - -type icecast_var_run_t; -files_pid_file(icecast_var_run_t) - -type icecast_log_t; -logging_log_file(icecast_log_t) - -######################################## -# -# icecast local policy -# - -allow icecast_t self:capability { dac_override setgid setuid sys_nice }; -allow icecast_t self:process { getsched fork setsched signal }; -allow icecast_t self:fifo_file rw_fifo_file_perms; -allow icecast_t self:unix_stream_socket create_stream_socket_perms; -allow icecast_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t) -manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t) -logging_log_filetrans(icecast_t, icecast_log_t, { file dir } ) - -manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) - -kernel_read_system_state(icecast_t) - -corenet_tcp_bind_soundd_port(icecast_t) - -# Init script handling -domain_use_interactive_fds(icecast_t) - -files_read_etc_files(icecast_t) - -auth_use_nsswitch(icecast_t) - -miscfiles_read_localization(icecast_t) - -sysnet_dns_name_resolve(icecast_t) - -optional_policy(` - apache_read_sys_content(icecast_t) -') - -optional_policy(` - rtkit_scheduled(icecast_t) -') diff --git a/policy/modules/services/ifplugd.fc b/policy/modules/services/ifplugd.fc deleted file mode 100644 index 2eda96f74..000000000 --- a/policy/modules/services/ifplugd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) - -/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) - -/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) - -/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if deleted file mode 100644 index dfb423267..000000000 --- a/policy/modules/services/ifplugd.if +++ /dev/null @@ -1,133 +0,0 @@ -## Bring up/down ethernet interfaces based on cable detection. - -######################################## -## -## Execute a domain transition to run ifplugd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ifplugd_domtrans',` - gen_require(` - type ifplugd_t, ifplugd_exec_t; - ') - - domtrans_pattern($1, ifplugd_exec_t, ifplugd_t) -') - -######################################## -## -## Send a generic signal to ifplugd -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_signal',` - gen_require(` - type ifplugd_t; - ') - - allow $1 ifplugd_t:process signal; -') - -######################################## -## -## Read ifplugd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_read_config',` - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -') - -######################################## -## -## Manage ifplugd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_manage_config',` - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) - manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -') - -######################################## -## -## Read ifplugd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ifplugd_read_pid_files',` - gen_require(` - type ifplugd_var_run_t; - ') - - files_search_pids($1) - allow $1 ifplugd_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an ifplugd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ifplugd domain. -## -## -## -# -interface(`ifplugd_admin',` - gen_require(` - type ifplugd_t, ifplugd_etc_t; - type ifplugd_var_run_t, ifplugd_initrc_exec_t; - ') - - allow $1 ifplugd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ifplugd_t) - - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ifplugd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ifplugd_etc_t) - - files_list_pids($1) - admin_pattern($1, ifplugd_var_run_t) -') diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te deleted file mode 100644 index 978c32fb2..000000000 --- a/policy/modules/services/ifplugd.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(ifplugd, 1.0.0) - -######################################## -# -# Declarations -# - -type ifplugd_t; -type ifplugd_exec_t; -init_daemon_domain(ifplugd_t, ifplugd_exec_t) - -# config files -type ifplugd_etc_t; -files_type(ifplugd_etc_t) - -type ifplugd_initrc_exec_t; -init_script_file(ifplugd_initrc_exec_t) - -# pid files -type ifplugd_var_run_t; -files_pid_file(ifplugd_var_run_t) - -######################################## -# -# ifplugd local policy -# - -allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; -dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; -allow ifplugd_t self:process { signal signull }; -allow ifplugd_t self:fifo_file rw_fifo_file_perms; -allow ifplugd_t self:tcp_socket create_stream_socket_perms; -allow ifplugd_t self:udp_socket create_socket_perms; -allow ifplugd_t self:packet_socket create_socket_perms; -allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; - -# pid file -manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file }) - -# config files -read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) -exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) - -kernel_read_system_state(ifplugd_t) -kernel_read_network_state(ifplugd_t) -kernel_rw_net_sysctls(ifplugd_t) -kernel_read_kernel_sysctls(ifplugd_t) - -corecmd_exec_shell(ifplugd_t) -corecmd_exec_bin(ifplugd_t) - -# reading of hardware information -dev_read_sysfs(ifplugd_t) - -domain_read_confined_domains_state(ifplugd_t) -domain_dontaudit_read_all_domains_state(ifplugd_t) - -auth_use_nsswitch(ifplugd_t) - -logging_send_syslog_msg(ifplugd_t) - -miscfiles_read_localization(ifplugd_t) - -netutils_domtrans(ifplugd_t) -# transition to ifconfig & dhcpc -sysnet_domtrans_ifconfig(ifplugd_t) -sysnet_domtrans_dhcpc(ifplugd_t) -sysnet_delete_dhcpc_pid(ifplugd_t) -sysnet_read_dhcpc_pid(ifplugd_t) -sysnet_signal_dhcpc(ifplugd_t) - -optional_policy(` - consoletype_exec(ifplugd_t) -') diff --git a/policy/modules/services/imaze.fc b/policy/modules/services/imaze.fc deleted file mode 100644 index 8d455ba64..000000000 --- a/policy/modules/services/imaze.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0) -/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0) - -/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0) diff --git a/policy/modules/services/imaze.if b/policy/modules/services/imaze.if deleted file mode 100644 index 8eb9ec3a7..000000000 --- a/policy/modules/services/imaze.if +++ /dev/null @@ -1 +0,0 @@ -## iMaze game server diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te deleted file mode 100644 index 0778af87a..000000000 --- a/policy/modules/services/imaze.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(imaze, 1.7.0) - -######################################## -# -# Declarations -# - -type imazesrv_t; -type imazesrv_exec_t; -init_daemon_domain(imazesrv_t, imazesrv_exec_t) - -type imazesrv_data_t; -files_type(imazesrv_data_t) - -type imazesrv_data_labs_t; -files_type(imazesrv_data_labs_t) - -type imazesrv_log_t; -logging_log_file(imazesrv_log_t) - -type imazesrv_var_run_t; -files_pid_file(imazesrv_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit imazesrv_t self:capability sys_tty_config; -allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow imazesrv_t self:fd use; -allow imazesrv_t self:fifo_file rw_fifo_file_perms; -allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto }; -allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow imazesrv_t self:shm create_shm_perms; -allow imazesrv_t self:sem create_sem_perms; -allow imazesrv_t self:msgq create_msgq_perms; -allow imazesrv_t self:msg { send receive }; -allow imazesrv_t self:tcp_socket create_stream_socket_perms; -allow imazesrv_t self:udp_socket create_socket_perms; - -allow imazesrv_t imazesrv_data_t:dir list_dir_perms; -read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) -read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) - -allow imazesrv_t imazesrv_log_t:file manage_file_perms; -allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms; -logging_log_filetrans(imazesrv_t, imazesrv_log_t, file) - -manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t) -files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file) - -kernel_read_kernel_sysctls(imazesrv_t) -kernel_list_proc(imazesrv_t) -kernel_read_proc_symlinks(imazesrv_t) - -corenet_all_recvfrom_unlabeled(imazesrv_t) -corenet_all_recvfrom_netlabel(imazesrv_t) -corenet_tcp_sendrecv_generic_if(imazesrv_t) -corenet_udp_sendrecv_generic_if(imazesrv_t) -corenet_tcp_sendrecv_generic_node(imazesrv_t) -corenet_udp_sendrecv_generic_node(imazesrv_t) -corenet_tcp_sendrecv_all_ports(imazesrv_t) -corenet_udp_sendrecv_all_ports(imazesrv_t) -corenet_tcp_bind_generic_node(imazesrv_t) -corenet_udp_bind_generic_node(imazesrv_t) -corenet_tcp_bind_imaze_port(imazesrv_t) -corenet_udp_bind_imaze_port(imazesrv_t) -corenet_sendrecv_imaze_server_packets(imazesrv_t) - -dev_read_sysfs(imazesrv_t) - -domain_use_interactive_fds(imazesrv_t) - -files_read_etc_files(imazesrv_t) - -fs_getattr_all_fs(imazesrv_t) -fs_search_auto_mountpoints(imazesrv_t) - -logging_send_syslog_msg(imazesrv_t) - -miscfiles_read_localization(imazesrv_t) - -sysnet_read_config(imazesrv_t) - -userdom_use_unpriv_users_fds(imazesrv_t) -userdom_dontaudit_search_user_home_dirs(imazesrv_t) - -optional_policy(` - nis_use_ypbind(imazesrv_t) -') - -optional_policy(` - seutil_sigchld_newrole(imazesrv_t) -') - -optional_policy(` - udev_read_db(imazesrv_t) -') diff --git a/policy/modules/services/inetd.fc b/policy/modules/services/inetd.fc deleted file mode 100644 index 39d5baa2e..000000000 --- a/policy/modules/services/inetd.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - -/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - -/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) - -/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if deleted file mode 100644 index df48e5edb..000000000 --- a/policy/modules/services/inetd.if +++ /dev/null @@ -1,205 +0,0 @@ -## Internet services daemon. - -######################################## -## -## Define the specified domain as a inetd service. -## -## -##

-## Define the specified domain as a inetd service. The -## inetd_service_domain(), inetd_tcp_service_domain(), -## or inetd_udp_service_domain() interfaces should be used -## instead of this interface, as this interface only provides -## the common rules to these three interfaces. -##

-## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_core_service_domain',` - gen_require(` - type inetd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(inetd_t, $2, $1) - allow inetd_t $1:process { siginh sigkill }; -') - -######################################## -## -## Define the specified domain as a TCP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_tcp_service_domain',` - - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; -') - -######################################## -## -## Define the specified domain as a UDP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_udp_service_domain',` - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:udp_socket rw_socket_perms; -') - -######################################## -## -## Define the specified domain as a TCP and UDP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`inetd_service_domain',` - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; - allow $1 inetd_t:udp_socket rw_socket_perms; - - # encrypt the service through stunnel - optional_policy(` - stunnel_service_domain($1, $2) - ') -') - -######################################## -## -## Inherit and use file descriptors from inetd. -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_use_fds',` - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:fd use; -') - -######################################## -## -## Connect to the inetd service using a TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Run inetd child process in the inet child domain -## -## -## -## Domain allowed to transition. -## -## -# -interface(`inetd_domtrans_child',` - gen_require(` - type inetd_child_t, inetd_child_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) -') - -######################################## -## -## Send UDP network traffic to inetd. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read and write inetd TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`inetd_rw_tcp_sockets',` - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; -') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te deleted file mode 100644 index c51a7b252..000000000 --- a/policy/modules/services/inetd.te +++ /dev/null @@ -1,242 +0,0 @@ -policy_module(inetd, 1.11.0) - -######################################## -# -# Declarations -# - -type inetd_t; -type inetd_exec_t; -init_daemon_domain(inetd_t, inetd_exec_t) - -type inetd_log_t; -logging_log_file(inetd_log_t) - -type inetd_tmp_t; -files_tmp_file(inetd_tmp_t) - -type inetd_var_run_t; -files_pid_file(inetd_var_run_t) - -type inetd_child_t; -type inetd_child_exec_t; -inetd_service_domain(inetd_child_t, inetd_child_exec_t) -role system_r types inetd_child_t; - -type inetd_child_tmp_t; -files_tmp_file(inetd_child_tmp_t) - -type inetd_child_var_run_t; -files_pid_file(inetd_child_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# Local policy -# - -allow inetd_t self:capability { setuid setgid }; -dontaudit inetd_t self:capability sys_tty_config; -allow inetd_t self:process { setsched setexec }; -allow inetd_t self:fifo_file rw_fifo_file_perms; -allow inetd_t self:tcp_socket create_stream_socket_perms; -allow inetd_t self:udp_socket create_socket_perms; -allow inetd_t self:fd use; - -allow inetd_t inetd_log_t:file manage_file_perms; -logging_log_filetrans(inetd_t, inetd_log_t, file) - -manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) -manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) -files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) - -allow inetd_t inetd_var_run_t:file manage_file_perms; -files_pid_filetrans(inetd_t, inetd_var_run_t, file) - -kernel_read_kernel_sysctls(inetd_t) -kernel_list_proc(inetd_t) -kernel_read_proc_symlinks(inetd_t) -kernel_read_system_state(inetd_t) -kernel_tcp_recvfrom_unlabeled(inetd_t) - -corecmd_bin_domtrans(inetd_t, inetd_child_t) - -# base networking: -corenet_all_recvfrom_unlabeled(inetd_t) -corenet_all_recvfrom_netlabel(inetd_t) -corenet_tcp_sendrecv_generic_if(inetd_t) -corenet_udp_sendrecv_generic_if(inetd_t) -corenet_tcp_sendrecv_generic_node(inetd_t) -corenet_udp_sendrecv_generic_node(inetd_t) -corenet_tcp_sendrecv_all_ports(inetd_t) -corenet_udp_sendrecv_all_ports(inetd_t) -corenet_tcp_bind_generic_node(inetd_t) -corenet_udp_bind_generic_node(inetd_t) -corenet_tcp_connect_all_ports(inetd_t) -corenet_sendrecv_all_client_packets(inetd_t) - -# listen on service ports: -corenet_tcp_bind_amanda_port(inetd_t) -corenet_udp_bind_amanda_port(inetd_t) -corenet_tcp_bind_auth_port(inetd_t) -corenet_udp_bind_comsat_port(inetd_t) -corenet_tcp_bind_dbskkd_port(inetd_t) -corenet_udp_bind_dbskkd_port(inetd_t) -corenet_tcp_bind_ftp_port(inetd_t) -corenet_udp_bind_ftp_port(inetd_t) -corenet_tcp_bind_inetd_child_port(inetd_t) -corenet_udp_bind_inetd_child_port(inetd_t) -corenet_tcp_bind_ircd_port(inetd_t) -corenet_udp_bind_ktalkd_port(inetd_t) -corenet_tcp_bind_printer_port(inetd_t) -corenet_udp_bind_rlogind_port(inetd_t) -corenet_udp_bind_rsh_port(inetd_t) -corenet_tcp_bind_rsh_port(inetd_t) -corenet_tcp_bind_rsync_port(inetd_t) -corenet_udp_bind_rsync_port(inetd_t) -#corenet_tcp_bind_stunnel_port(inetd_t) -corenet_tcp_bind_swat_port(inetd_t) -corenet_udp_bind_swat_port(inetd_t) -corenet_tcp_bind_telnetd_port(inetd_t) -corenet_udp_bind_tftp_port(inetd_t) -corenet_tcp_bind_ssh_port(inetd_t) -corenet_tcp_bind_git_port(inetd_t) -corenet_udp_bind_git_port(inetd_t) - -# service port packets: -corenet_sendrecv_amanda_server_packets(inetd_t) -corenet_sendrecv_auth_server_packets(inetd_t) -corenet_sendrecv_comsat_server_packets(inetd_t) -corenet_sendrecv_dbskkd_server_packets(inetd_t) -corenet_sendrecv_ftp_server_packets(inetd_t) -corenet_sendrecv_inetd_child_server_packets(inetd_t) -corenet_sendrecv_ircd_server_packets(inetd_t) -corenet_sendrecv_ktalkd_server_packets(inetd_t) -corenet_sendrecv_printer_server_packets(inetd_t) -corenet_sendrecv_rsh_server_packets(inetd_t) -corenet_sendrecv_rsync_server_packets(inetd_t) -#corenet_sendrecv_stunnel_server_packets(inetd_t) -corenet_sendrecv_swat_server_packets(inetd_t) -corenet_sendrecv_tftp_server_packets(inetd_t) - -dev_read_sysfs(inetd_t) - -fs_getattr_all_fs(inetd_t) -fs_search_auto_mountpoints(inetd_t) - -selinux_validate_context(inetd_t) -selinux_compute_create_context(inetd_t) - -# Run other daemons in the inetd_child_t domain. -corecmd_search_bin(inetd_t) -corecmd_read_bin_symlinks(inetd_t) - -domain_use_interactive_fds(inetd_t) - -files_read_etc_files(inetd_t) -files_read_etc_runtime_files(inetd_t) - -auth_use_nsswitch(inetd_t) - -logging_send_syslog_msg(inetd_t) - -miscfiles_read_localization(inetd_t) - -# xinetd needs MLS override privileges to work -mls_fd_share_all_levels(inetd_t) -mls_socket_read_to_clearance(inetd_t) -mls_socket_write_to_clearance(inetd_t) -mls_process_set_level(inetd_t) - -sysnet_read_config(inetd_t) - -userdom_dontaudit_use_unpriv_user_fds(inetd_t) -userdom_dontaudit_search_user_home_dirs(inetd_t) - -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(inetd_t) - ') -') - -ifdef(`enable_mls',` - corenet_tcp_recvfrom_netlabel(inetd_t) - corenet_udp_recvfrom_netlabel(inetd_t) -') - -optional_policy(` - amanda_search_lib(inetd_t) -') - -optional_policy(` - seutil_sigchld_newrole(inetd_t) -') - -optional_policy(` - udev_read_db(inetd_t) -') - -optional_policy(` - unconfined_domtrans(inetd_t) -') - -######################################## -# -# inetd child local_policy -# - -allow inetd_child_t self:process signal_perms; -allow inetd_child_t self:fifo_file rw_fifo_file_perms; -allow inetd_child_t self:tcp_socket connected_stream_socket_perms; -allow inetd_child_t self:udp_socket create_socket_perms; - -# for identd -allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow inetd_child_t self:capability { setuid setgid }; -files_search_home(inetd_child_t) - -manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) -manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) -files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) - -manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t) -files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file) - -kernel_read_kernel_sysctls(inetd_child_t) -kernel_read_system_state(inetd_child_t) -kernel_read_network_state(inetd_child_t) - -corenet_all_recvfrom_unlabeled(inetd_child_t) -corenet_all_recvfrom_netlabel(inetd_child_t) -corenet_tcp_sendrecv_generic_if(inetd_child_t) -corenet_udp_sendrecv_generic_if(inetd_child_t) -corenet_tcp_sendrecv_generic_node(inetd_child_t) -corenet_udp_sendrecv_generic_node(inetd_child_t) -corenet_tcp_sendrecv_all_ports(inetd_child_t) -corenet_udp_sendrecv_all_ports(inetd_child_t) - -dev_read_urand(inetd_child_t) - -fs_getattr_xattr_fs(inetd_child_t) - -files_read_etc_files(inetd_child_t) -files_read_etc_runtime_files(inetd_child_t) - -auth_use_nsswitch(inetd_child_t) - -logging_send_syslog_msg(inetd_child_t) - -miscfiles_read_localization(inetd_child_t) - -sysnet_read_config(inetd_child_t) - -optional_policy(` - kerberos_use(inetd_child_t) -') - -optional_policy(` - unconfined_domain(inetd_child_t) -') diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc deleted file mode 100644 index 8ca038d76..000000000 --- a/policy/modules/services/inn.fc +++ /dev/null @@ -1,67 +0,0 @@ - -# -# /etc -# -/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0) -/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0) -/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0) - -/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0) - -/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) - -/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) - -# cjp: split these to fix an ordering -# problem with a match in corecommands -/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) - -/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) - -/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) -/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) - -/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if deleted file mode 100644 index ebc9e0d76..000000000 --- a/policy/modules/services/inn.if +++ /dev/null @@ -1,224 +0,0 @@ -## Internet News NNTP server - -######################################## -## -## Allow the specified domain to execute innd -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_exec',` - gen_require(` - type innd_t; - ') - - can_exec($1, innd_exec_t) -') - -######################################## -## -## Allow the specified domain to execute -## inn configuration files in /etc. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_exec_config',` - gen_require(` - type innd_etc_t; - ') - - can_exec($1, innd_etc_t) -') - -######################################## -## -## Create, read, write, and delete the innd log. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_manage_log',` - gen_require(` - type innd_log_t; - ') - - logging_rw_generic_log_dirs($1) - manage_files_pattern($1, innd_log_t, innd_log_t) -') - -######################################## -## -## Create, read, write, and delete the innd pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_manage_pid',` - gen_require(` - type innd_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, innd_var_run_t, innd_var_run_t) - manage_lnk_files_pattern($1, innd_var_run_t, innd_var_run_t) -') - -######################################## -## -## Read innd configuration files. -## -## -## -## Domain allowed access. -## -## - -# -interface(`inn_read_config',` - gen_require(` - type innd_etc_t; - ') - - allow $1 innd_etc_t:dir list_dir_perms; - allow $1 innd_etc_t:file read_file_perms; - allow $1 innd_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Read innd news library files. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_read_news_lib',` - gen_require(` - type innd_var_lib_t; - ') - - allow $1 innd_var_lib_t:dir list_dir_perms; - allow $1 innd_var_lib_t:file read_file_perms; - allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Read innd news library files. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_read_news_spool',` - gen_require(` - type news_spool_t; - ') - - allow $1 news_spool_t:dir list_dir_perms; - allow $1 news_spool_t:file read_file_perms; - allow $1 news_spool_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Send to a innd unix dgram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`inn_dgram_send',` - gen_require(` - type innd_t; - ') - - allow $1 innd_t:unix_dgram_socket sendto; -') - -######################################## -## -## Execute inn in the inn domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`inn_domtrans',` - gen_require(` - type innd_t, innd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, innd_exec_t, innd_t) -') - -######################################## -## -## All of the rules required to administrate -## an inn environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the inn domain. -## -## -## -# -interface(`inn_admin',` - gen_require(` - type innd_t, innd_etc_t, innd_log_t; - type news_spool_t, innd_var_lib_t; - type innd_var_run_t, innd_initrc_exec_t; - ') - - allow $1 innd_t:process { ptrace signal_perms }; - ps_process_pattern($1, innd_t) - - init_labeled_script_domtrans($1, innd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 innd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, innd_etc_t) - - logging_list_logs($1) - admin_pattern($1, innd_log_t) - - files_list_var_lib($1) - admin_pattern($1, innd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, innd_var_run_t) - - files_list_spool($1) - admin_pattern($1, news_spool_t) -') diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te deleted file mode 100644 index 9fab1dc86..000000000 --- a/policy/modules/services/inn.te +++ /dev/null @@ -1,129 +0,0 @@ -policy_module(inn, 1.9.0) - -######################################## -# -# Declarations -# -type innd_t; -type innd_exec_t; -init_daemon_domain(innd_t, innd_exec_t) - -type innd_etc_t; -files_config_file(innd_etc_t) - -type innd_initrc_exec_t; -init_script_file(innd_initrc_exec_t) - -type innd_log_t; -logging_log_file(innd_log_t) - -type innd_var_lib_t; -files_type(innd_var_lib_t) - -type innd_var_run_t; -files_pid_file(innd_var_run_t) - -type news_spool_t; -files_mountpoint(news_spool_t) - -######################################## -# -# Local policy -# -allow innd_t self:capability { dac_override kill setgid setuid }; -dontaudit innd_t self:capability sys_tty_config; -allow innd_t self:process { setsched signal_perms }; -allow innd_t self:fifo_file rw_fifo_file_perms; -allow innd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow innd_t self:tcp_socket create_stream_socket_perms; -allow innd_t self:udp_socket create_socket_perms; -allow innd_t self:netlink_route_socket r_netlink_socket_perms; - -read_files_pattern(innd_t, innd_etc_t, innd_etc_t) -read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) - -can_exec(innd_t, innd_exec_t) - -manage_files_pattern(innd_t, innd_log_t, innd_log_t) -allow innd_t innd_log_t:dir setattr; -logging_log_filetrans(innd_t, innd_log_t, file) - -manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -files_var_lib_filetrans(innd_t, innd_var_lib_t, file) - -manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -files_pid_filetrans(innd_t, innd_var_run_t, file) - -manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) -manage_files_pattern(innd_t, news_spool_t, news_spool_t) -manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) - -kernel_read_kernel_sysctls(innd_t) -kernel_read_system_state(innd_t) - -corenet_all_recvfrom_unlabeled(innd_t) -corenet_all_recvfrom_netlabel(innd_t) -corenet_tcp_sendrecv_generic_if(innd_t) -corenet_udp_sendrecv_generic_if(innd_t) -corenet_tcp_sendrecv_generic_node(innd_t) -corenet_udp_sendrecv_generic_node(innd_t) -corenet_tcp_sendrecv_all_ports(innd_t) -corenet_udp_sendrecv_all_ports(innd_t) -corenet_tcp_bind_generic_node(innd_t) -corenet_tcp_bind_innd_port(innd_t) -corenet_tcp_connect_all_ports(innd_t) -corenet_sendrecv_innd_server_packets(innd_t) -corenet_sendrecv_all_client_packets(innd_t) - -dev_read_sysfs(innd_t) -dev_read_urand(innd_t) - -fs_getattr_all_fs(innd_t) -fs_search_auto_mountpoints(innd_t) - -corecmd_exec_bin(innd_t) -corecmd_exec_shell(innd_t) - -domain_use_interactive_fds(innd_t) - -files_list_spool(innd_t) -files_read_etc_files(innd_t) -files_read_etc_runtime_files(innd_t) -files_read_usr_files(innd_t) - -logging_send_syslog_msg(innd_t) - -miscfiles_read_localization(innd_t) - -seutil_dontaudit_search_config(innd_t) - -sysnet_read_config(innd_t) - -userdom_dontaudit_use_unpriv_user_fds(innd_t) -userdom_dontaudit_search_user_home_dirs(innd_t) - -mta_send_mail(innd_t) - -optional_policy(` - cron_system_entry(innd_t, innd_exec_t) -') - -optional_policy(` - hostname_exec(innd_t) -') - -optional_policy(` - nis_use_ypbind(innd_t) -') - -optional_policy(` - seutil_sigchld_newrole(innd_t) -') - -optional_policy(` - udev_read_db(innd_t) -') diff --git a/policy/modules/services/ircd.fc b/policy/modules/services/ircd.fc deleted file mode 100644 index d733fa8f4..000000000 --- a/policy/modules/services/ircd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0) - -/usr/sbin/(dancer-)?ircd -- gen_context(system_u:object_r:ircd_exec_t,s0) - -/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0) -/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) -/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) diff --git a/policy/modules/services/ircd.if b/policy/modules/services/ircd.if deleted file mode 100644 index 3f4de835d..000000000 --- a/policy/modules/services/ircd.if +++ /dev/null @@ -1 +0,0 @@ -## IRC server diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te deleted file mode 100644 index 75ab1e2d7..000000000 --- a/policy/modules/services/ircd.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(ircd, 1.7.0) - -######################################## -# -# Declarations -# - -type ircd_t; -type ircd_exec_t; -init_daemon_domain(ircd_t, ircd_exec_t) - -type ircd_etc_t; -files_config_file(ircd_etc_t) - -type ircd_log_t; -logging_log_file(ircd_log_t) - -type ircd_var_lib_t; -files_type(ircd_var_lib_t) - -type ircd_var_run_t; -files_pid_file(ircd_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit ircd_t self:capability sys_tty_config; -allow ircd_t self:process signal_perms; -allow ircd_t self:tcp_socket create_stream_socket_perms; -allow ircd_t self:udp_socket create_socket_perms; - -read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) -read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t) -files_search_etc(ircd_t) - -manage_files_pattern(ircd_t, ircd_log_t, ircd_log_t) -logging_log_filetrans(ircd_t, ircd_log_t, { file dir }) - -manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t) -files_var_lib_filetrans(ircd_t, ircd_var_lib_t, file) - -manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t) -files_pid_filetrans(ircd_t, ircd_var_run_t, file) - -kernel_read_system_state(ircd_t) -kernel_read_kernel_sysctls(ircd_t) - -corecmd_search_bin(ircd_t) - -corenet_all_recvfrom_unlabeled(ircd_t) -corenet_all_recvfrom_netlabel(ircd_t) -corenet_tcp_sendrecv_generic_if(ircd_t) -corenet_udp_sendrecv_generic_if(ircd_t) -corenet_tcp_sendrecv_generic_node(ircd_t) -corenet_udp_sendrecv_generic_node(ircd_t) -corenet_tcp_sendrecv_all_ports(ircd_t) -corenet_udp_sendrecv_all_ports(ircd_t) -corenet_tcp_bind_generic_node(ircd_t) -corenet_tcp_bind_ircd_port(ircd_t) -corenet_sendrecv_ircd_server_packets(ircd_t) - -dev_read_sysfs(ircd_t) - -domain_use_interactive_fds(ircd_t) - -files_read_etc_files(ircd_t) -files_read_etc_runtime_files(ircd_t) - -fs_getattr_all_fs(ircd_t) -fs_search_auto_mountpoints(ircd_t) - -logging_send_syslog_msg(ircd_t) - -miscfiles_read_localization(ircd_t) - -sysnet_read_config(ircd_t) - -userdom_dontaudit_use_unpriv_user_fds(ircd_t) -userdom_dontaudit_search_user_home_dirs(ircd_t) - -optional_policy(` - nis_use_ypbind(ircd_t) -') - -optional_policy(` - seutil_sigchld_newrole(ircd_t) -') - -optional_policy(` - udev_read_db(ircd_t) -') diff --git a/policy/modules/services/irqbalance.fc b/policy/modules/services/irqbalance.fc deleted file mode 100644 index 38310757b..000000000 --- a/policy/modules/services/irqbalance.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) diff --git a/policy/modules/services/irqbalance.if b/policy/modules/services/irqbalance.if deleted file mode 100644 index 058fb75ca..000000000 --- a/policy/modules/services/irqbalance.if +++ /dev/null @@ -1 +0,0 @@ -## IRQ balancing daemon diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te deleted file mode 100644 index 9aeeaf931..000000000 --- a/policy/modules/services/irqbalance.te +++ /dev/null @@ -1,56 +0,0 @@ -policy_module(irqbalance, 1.5.0) - -######################################## -# -# Declarations -# - -type irqbalance_t; -type irqbalance_exec_t; -init_daemon_domain(irqbalance_t, irqbalance_exec_t) - -type irqbalance_var_run_t; -files_pid_file(irqbalance_var_run_t) - -######################################## -# -# Local policy -# - -allow irqbalance_t self:capability { setpcap net_admin }; -dontaudit irqbalance_t self:capability sys_tty_config; -allow irqbalance_t self:process { getcap setcap signal_perms }; -allow irqbalance_t self:udp_socket create_socket_perms; - -manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) -files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) - -kernel_read_network_state(irqbalance_t) -kernel_read_system_state(irqbalance_t) -kernel_read_kernel_sysctls(irqbalance_t) -kernel_rw_irq_sysctls(irqbalance_t) - -dev_read_sysfs(irqbalance_t) - -files_read_etc_files(irqbalance_t) -files_read_etc_runtime_files(irqbalance_t) - -fs_getattr_all_fs(irqbalance_t) -fs_search_auto_mountpoints(irqbalance_t) - -domain_use_interactive_fds(irqbalance_t) - -logging_send_syslog_msg(irqbalance_t) - -miscfiles_read_localization(irqbalance_t) - -userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) -userdom_dontaudit_search_user_home_dirs(irqbalance_t) - -optional_policy(` - seutil_sigchld_newrole(irqbalance_t) -') - -optional_policy(` - udev_read_db(irqbalance_t) -') diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc deleted file mode 100644 index 4c9acec11..000000000 --- a/policy/modules/services/jabber.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) - -/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) - -/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) -/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if deleted file mode 100644 index 98784995f..000000000 --- a/policy/modules/services/jabber.if +++ /dev/null @@ -1,56 +0,0 @@ -## Jabber instant messaging server - -######################################## -## -## Connect to jabber over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`jabber_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an jabber environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the jabber domain. -## -## -## -# -interface(`jabber_admin',` - gen_require(` - type jabberd_t, jabberd_log_t, jabberd_var_lib_t; - type jabberd_var_run_t, jabberd_initrc_exec_t; - ') - - allow $1 jabberd_t:process { ptrace signal_perms }; - ps_process_pattern($1, jabberd_t) - - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 jabberd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, jabberd_log_t) - - files_list_var_lib($1) - admin_pattern($1, jabberd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, jabberd_var_run_t) -') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te deleted file mode 100644 index da2127e58..000000000 --- a/policy/modules/services/jabber.te +++ /dev/null @@ -1,94 +0,0 @@ -policy_module(jabber, 1.8.0) - -######################################## -# -# Declarations -# - -type jabberd_t; -type jabberd_exec_t; -init_daemon_domain(jabberd_t, jabberd_exec_t) - -type jabberd_initrc_exec_t; -init_script_file(jabberd_initrc_exec_t) - -type jabberd_log_t; -logging_log_file(jabberd_log_t) - -type jabberd_var_lib_t; -files_type(jabberd_var_lib_t) - -type jabberd_var_run_t; -files_pid_file(jabberd_var_run_t) - -######################################## -# -# Local policy -# - -allow jabberd_t self:capability dac_override; -dontaudit jabberd_t self:capability sys_tty_config; -allow jabberd_t self:process signal_perms; -allow jabberd_t self:fifo_file read_fifo_file_perms; -allow jabberd_t self:tcp_socket create_stream_socket_perms; -allow jabberd_t self:udp_socket create_socket_perms; - -manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) -files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) - -manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) - -manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) -files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) - -kernel_read_kernel_sysctls(jabberd_t) -kernel_list_proc(jabberd_t) -kernel_read_proc_symlinks(jabberd_t) - -corenet_all_recvfrom_unlabeled(jabberd_t) -corenet_all_recvfrom_netlabel(jabberd_t) -corenet_tcp_sendrecv_generic_if(jabberd_t) -corenet_udp_sendrecv_generic_if(jabberd_t) -corenet_tcp_sendrecv_generic_node(jabberd_t) -corenet_udp_sendrecv_generic_node(jabberd_t) -corenet_tcp_sendrecv_all_ports(jabberd_t) -corenet_udp_sendrecv_all_ports(jabberd_t) -corenet_tcp_bind_generic_node(jabberd_t) -corenet_tcp_bind_jabber_client_port(jabberd_t) -corenet_tcp_bind_jabber_interserver_port(jabberd_t) -corenet_sendrecv_jabber_client_server_packets(jabberd_t) -corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) - -dev_read_sysfs(jabberd_t) -# For SSL -dev_read_rand(jabberd_t) - -domain_use_interactive_fds(jabberd_t) - -files_read_etc_files(jabberd_t) -files_read_etc_runtime_files(jabberd_t) - -fs_getattr_all_fs(jabberd_t) -fs_search_auto_mountpoints(jabberd_t) - -logging_send_syslog_msg(jabberd_t) - -miscfiles_read_localization(jabberd_t) - -sysnet_read_config(jabberd_t) - -userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -userdom_dontaudit_search_user_home_dirs(jabberd_t) - -optional_policy(` - nis_use_ypbind(jabberd_t) -') - -optional_policy(` - seutil_sigchld_newrole(jabberd_t) -') - -optional_policy(` - udev_read_db(jabberd_t) -') diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc deleted file mode 100644 index 3525d248a..000000000 --- a/policy/modules/services/kerberos.fc +++ /dev/null @@ -1,33 +0,0 @@ -HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - -/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) -/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) - -/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - -/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - -/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) - -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) -/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) - -/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if deleted file mode 100644 index 604f67bfe..000000000 --- a/policy/modules/services/kerberos.if +++ /dev/null @@ -1,380 +0,0 @@ -## MIT Kerberos admin and KDC -## -##

-## This policy supports: -##

-##

-## Servers: -##

    -##
  • kadmind
    • -##
  • krb5kdc
    • -##
-##

-##

-## Clients: -##

    -##
  • kinit
    • -##
  • kdestroy
    • -##
  • klist
    • -##
  • ksu (incomplete)
    • -##
-##

-## - -######################################## -## -## Execute kadmind in the current domain -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_exec_kadmind',` - gen_require(` - type kadmind_exec_t; - ') - - can_exec($1, kadmind_exec_t) -') - -######################################## -## -## Execute a domain transition to run kpropd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kerberos_domtrans_kpropd',` - gen_require(` - type kpropd_t, kpropd_exec_t; - ') - - domtrans_pattern($1, kpropd_exec_t, kpropd_t) -') - -######################################## -## -## Use kerberos services -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_use',` - gen_require(` - type krb5_conf_t, krb5kdc_conf_t; - type krb5_host_rcache_t; - ') - - files_search_etc($1) - read_files_pattern($1, krb5_conf_t, krb5_conf_t) - dontaudit $1 krb5_conf_t:file write; - dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; - dontaudit $1 krb5kdc_conf_t:file rw_file_perms; - - #kerberos libraries are attempting to set the correct file context - dontaudit $1 self:process setfscreate; - selinux_dontaudit_validate_context($1) - seutil_dontaudit_read_file_contexts($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_kerberos_port($1) - corenet_udp_sendrecv_kerberos_port($1) - corenet_tcp_bind_generic_node($1) - corenet_udp_bind_generic_node($1) - corenet_tcp_connect_kerberos_port($1) - corenet_tcp_connect_ocsp_port($1) - corenet_sendrecv_kerberos_client_packets($1) - corenet_sendrecv_ocsp_client_packets($1) - - allow $1 krb5_host_rcache_t:file getattr; - ') - - optional_policy(` - tunable_policy(`allow_kerberos',` - pcscd_stream_connect($1) - ') - ') - - optional_policy(` - sssd_read_public_files($1) - ') -') - -######################################## -## -## Read the kerberos configuration file (/etc/krb5.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_read_config',` - gen_require(` - type krb5_conf_t, krb5_home_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file read_file_perms; - allow $1 krb5_home_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to write the kerberos -## configuration file (/etc/krb5.conf). -## -## -## -## Domain to not audit. -## -## -# -interface(`kerberos_dontaudit_write_config',` - gen_require(` - type krb5_conf_t; - ') - - dontaudit $1 krb5_conf_t:file write; -') - -######################################## -## -## Read and write the kerberos configuration file (/etc/krb5.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_rw_config',` - gen_require(` - type krb5_conf_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file rw_file_perms; -') - -######################################## -## -## Read the kerberos key table. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_read_keytab',` - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file read_file_perms; -') - -######################################## -## -## Read/Write the kerberos key table. -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_rw_keytab',` - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file rw_file_perms; -') - -######################################## -## -## Create a derived type for kerberos keytab -## -## -## -## The prefix to be used for deriving type names. -## -## -## -## -## Domain allowed access. -## -## -# -template(`kerberos_keytab_template',` - type $1_keytab_t; - files_type($1_keytab_t) - - allow $2 $1_keytab_t:file read_file_perms; - - kerberos_read_keytab($2) - kerberos_use($2) -') - -######################################## -## -## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_read_kdc_config',` - gen_require(` - type krb5kdc_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) -') - -######################################## -## -## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`kerberos_manage_host_rcache',` - gen_require(` - type krb5_host_rcache_t; - ') - - # creates files as system_u no matter what the selinux user - # cjp: should be in the below tunable but typeattribute - # does not work in conditionals - domain_obj_id_change_exemption($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:process setfscreate; - - selinux_validate_context($1) - - seutil_read_file_contexts($1) - - allow $1 krb5_host_rcache_t:file manage_file_perms; - files_search_tmp($1) - ') -') - -######################################## -## -## Connect to krb524 service -## -## -## -## Domain allowed access. -## -## -# -interface(`kerberos_connect_524',` - tunable_policy(`allow_kerberos',` - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_udp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_node($1) - corenet_udp_sendrecv_kerberos_master_port($1) - corenet_sendrecv_kerberos_master_client_packets($1) - ') -') - -######################################## -## -## All of the rules required to administrate -## an kerberos environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the kerberos domain. -## -## -## -# -interface(`kerberos_admin',` - gen_require(` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; - type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; - type kpropd_t; - ') - - allow $1 kadmind_t:process { ptrace signal_perms }; - ps_process_pattern($1, kadmind_t) - - allow $1 krb5kdc_t:process { ptrace signal_perms }; - ps_process_pattern($1, krb5kdc_t) - - allow $1 kpropd_t:process { ptrace signal_perms }; - ps_process_pattern($1, kpropd_t) - - init_labeled_script_domtrans($1, kerberos_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerberos_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, kadmind_log_t) - - files_list_tmp($1) - admin_pattern($1, kadmind_tmp_t) - - files_list_pids($1) - admin_pattern($1, kadmind_var_run_t) - - admin_pattern($1, krb5_conf_t) - - admin_pattern($1, krb5_host_rcache_t) - - admin_pattern($1, krb5_keytab_t) - - admin_pattern($1, krb5kdc_principal_t) - - admin_pattern($1, krb5kdc_tmp_t) - - admin_pattern($1, krb5kdc_var_run_t) -') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te deleted file mode 100644 index 8edc29b6f..000000000 --- a/policy/modules/services/kerberos.te +++ /dev/null @@ -1,325 +0,0 @@ -policy_module(kerberos, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow confined applications to run with kerberos. -##

-## -gen_tunable(allow_kerberos, false) - -type kadmind_t; -type kadmind_exec_t; -init_daemon_domain(kadmind_t, kadmind_exec_t) -domain_obj_id_change_exemption(kadmind_t) - -type kadmind_log_t; -logging_log_file(kadmind_log_t) - -type kadmind_tmp_t; -files_tmp_file(kadmind_tmp_t) - -type kadmind_var_run_t; -files_pid_file(kadmind_var_run_t) - -type kerberos_initrc_exec_t; -init_script_file(kerberos_initrc_exec_t) - -type kpropd_t; -type kpropd_exec_t; -init_daemon_domain(kpropd_t, kpropd_exec_t) -domain_obj_id_change_exemption(kpropd_t) - -type krb5_conf_t; -files_type(krb5_conf_t) - -type krb5_home_t; -userdom_user_home_content(krb5_home_t) - -type krb5_host_rcache_t; -files_tmp_file(krb5_host_rcache_t) - -# types for general configuration files in /etc -type krb5_keytab_t; -files_security_file(krb5_keytab_t) - -# types for KDC configs and principal file(s) -type krb5kdc_conf_t; -files_type(krb5kdc_conf_t) - -type krb5kdc_lock_t; -files_type(krb5kdc_lock_t) - -# types for KDC principal file(s) -type krb5kdc_principal_t; -files_type(krb5kdc_principal_t) - -type krb5kdc_t; -type krb5kdc_exec_t; -init_daemon_domain(krb5kdc_t, krb5kdc_exec_t) -domain_obj_id_change_exemption(krb5kdc_t) - -type krb5kdc_log_t; -logging_log_file(krb5kdc_log_t) - -type krb5kdc_tmp_t; -files_tmp_file(krb5kdc_tmp_t) - -type krb5kdc_var_run_t; -files_pid_file(krb5kdc_var_run_t) - -######################################## -# -# kadmind local policy -# - -# Use capabilities. Surplus capabilities may be allowed. -allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; -dontaudit kadmind_t self:capability sys_tty_config; -allow kadmind_t self:process { setfscreate signal_perms }; -allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; -allow kadmind_t self:unix_dgram_socket { connect create write }; -allow kadmind_t self:tcp_socket connected_stream_socket_perms; -allow kadmind_t self:udp_socket create_socket_perms; - -allow kadmind_t kadmind_log_t:file manage_file_perms; -logging_log_filetrans(kadmind_t, kadmind_log_t, file) - -allow kadmind_t krb5_conf_t:file read_file_perms; -dontaudit kadmind_t krb5_conf_t:file write; - -read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit kadmind_t krb5kdc_conf_t:file { write setattr }; - -allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr }; - -allow kadmind_t krb5kdc_principal_t:file manage_file_perms; -filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) - -can_exec(kadmind_t, kadmind_exec_t) - -manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) -manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) -files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) - -manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) -files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) - -kernel_read_kernel_sysctls(kadmind_t) -kernel_list_proc(kadmind_t) -kernel_read_network_state(kadmind_t) -kernel_read_proc_symlinks(kadmind_t) -kernel_read_system_state(kadmind_t) - -corenet_all_recvfrom_unlabeled(kadmind_t) -corenet_all_recvfrom_netlabel(kadmind_t) -corenet_tcp_sendrecv_generic_if(kadmind_t) -corenet_udp_sendrecv_generic_if(kadmind_t) -corenet_tcp_sendrecv_generic_node(kadmind_t) -corenet_udp_sendrecv_generic_node(kadmind_t) -corenet_tcp_sendrecv_all_ports(kadmind_t) -corenet_udp_sendrecv_all_ports(kadmind_t) -corenet_tcp_bind_generic_node(kadmind_t) -corenet_udp_bind_generic_node(kadmind_t) -corenet_tcp_bind_kerberos_admin_port(kadmind_t) -corenet_udp_bind_kerberos_admin_port(kadmind_t) -corenet_tcp_bind_reserved_port(kadmind_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) -corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) - -dev_read_sysfs(kadmind_t) -dev_read_rand(kadmind_t) -dev_read_urand(kadmind_t) - -fs_getattr_all_fs(kadmind_t) -fs_search_auto_mountpoints(kadmind_t) - -domain_use_interactive_fds(kadmind_t) - -files_read_etc_files(kadmind_t) -files_read_usr_symlinks(kadmind_t) -files_read_usr_files(kadmind_t) -files_read_var_files(kadmind_t) - -selinux_validate_context(kadmind_t) - -logging_send_syslog_msg(kadmind_t) - -miscfiles_read_localization(kadmind_t) - -seutil_read_file_contexts(kadmind_t) - -sysnet_read_config(kadmind_t) -sysnet_use_ldap(kadmind_t) - -userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -userdom_dontaudit_search_user_home_dirs(kadmind_t) - -optional_policy(` - nis_use_ypbind(kadmind_t) -') - -optional_policy(` - seutil_sigchld_newrole(kadmind_t) -') - -optional_policy(` - udev_read_db(kadmind_t) -') - -######################################## -# -# Krb5kdc local policy -# - -# Use capabilities. Surplus capabilities may be allowed. -allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; -dontaudit krb5kdc_t self:capability sys_tty_config; -allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; -allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -allow krb5kdc_t self:tcp_socket create_stream_socket_perms; -allow krb5kdc_t self:udp_socket create_socket_perms; -allow krb5kdc_t self:fifo_file rw_fifo_file_perms; - -allow krb5kdc_t krb5_conf_t:file read_file_perms; -dontaudit krb5kdc_t krb5_conf_t:file write; - -can_exec(krb5kdc_t, krb5kdc_exec_t) - -read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit krb5kdc_t krb5kdc_conf_t:file write; - -allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; - -allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; -logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) - -allow krb5kdc_t krb5kdc_principal_t:file read_file_perms; -dontaudit krb5kdc_t krb5kdc_principal_t:file write; - -manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) - -manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) -files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) - -kernel_read_system_state(krb5kdc_t) -kernel_read_kernel_sysctls(krb5kdc_t) -kernel_list_proc(krb5kdc_t) -kernel_read_proc_symlinks(krb5kdc_t) -kernel_read_network_state(krb5kdc_t) -kernel_search_network_sysctl(krb5kdc_t) - -corecmd_exec_bin(krb5kdc_t) - -corenet_all_recvfrom_unlabeled(krb5kdc_t) -corenet_all_recvfrom_netlabel(krb5kdc_t) -corenet_tcp_sendrecv_generic_if(krb5kdc_t) -corenet_udp_sendrecv_generic_if(krb5kdc_t) -corenet_tcp_sendrecv_generic_node(krb5kdc_t) -corenet_udp_sendrecv_generic_node(krb5kdc_t) -corenet_tcp_sendrecv_all_ports(krb5kdc_t) -corenet_udp_sendrecv_all_ports(krb5kdc_t) -corenet_tcp_bind_generic_node(krb5kdc_t) -corenet_udp_bind_generic_node(krb5kdc_t) -corenet_tcp_bind_kerberos_port(krb5kdc_t) -corenet_udp_bind_kerberos_port(krb5kdc_t) -corenet_tcp_connect_ocsp_port(krb5kdc_t) -corenet_sendrecv_kerberos_server_packets(krb5kdc_t) -corenet_sendrecv_ocsp_client_packets(krb5kdc_t) - -dev_read_sysfs(krb5kdc_t) -dev_read_urand(krb5kdc_t) - -fs_getattr_all_fs(krb5kdc_t) -fs_search_auto_mountpoints(krb5kdc_t) - -domain_use_interactive_fds(krb5kdc_t) - -files_read_etc_files(krb5kdc_t) -files_read_usr_symlinks(krb5kdc_t) -files_read_var_files(krb5kdc_t) - -selinux_validate_context(krb5kdc_t) - -logging_send_syslog_msg(krb5kdc_t) - -miscfiles_read_localization(krb5kdc_t) - -seutil_read_file_contexts(krb5kdc_t) - -sysnet_read_config(krb5kdc_t) -sysnet_use_ldap(krb5kdc_t) - -userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -userdom_dontaudit_search_user_home_dirs(krb5kdc_t) - -optional_policy(` - nis_use_ypbind(krb5kdc_t) -') - -optional_policy(` - seutil_sigchld_newrole(krb5kdc_t) -') - -optional_policy(` - udev_read_db(krb5kdc_t) -') - -######################################## -# -# kpropd local policy -# - -allow kpropd_t self:capability net_bind_service; -allow kpropd_t self:process setfscreate; - -allow kpropd_t self:fifo_file rw_file_perms; -allow kpropd_t self:unix_stream_socket create_stream_socket_perms; -allow kpropd_t self:tcp_socket create_stream_socket_perms; - -allow kpropd_t krb5_host_rcache_t:file manage_file_perms; - -allow kpropd_t krb5_keytab_t:file read_file_perms; - -read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t) - -manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) -filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) - -manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) - -manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) - -corecmd_exec_bin(kpropd_t) - -corenet_all_recvfrom_unlabeled(kpropd_t) -corenet_tcp_sendrecv_generic_if(kpropd_t) -corenet_tcp_sendrecv_generic_node(kpropd_t) -corenet_tcp_sendrecv_all_ports(kpropd_t) -corenet_tcp_bind_generic_node(kpropd_t) -corenet_tcp_bind_kprop_port(kpropd_t) - -dev_read_urand(kpropd_t) - -files_read_etc_files(kpropd_t) -files_search_tmp(kpropd_t) - -selinux_validate_context(kpropd_t) - -logging_send_syslog_msg(kpropd_t) - -miscfiles_read_localization(kpropd_t) - -seutil_read_file_contexts(kpropd_t) - -sysnet_dns_name_resolve(kpropd_t) - -kerberos_use(kpropd_t) diff --git a/policy/modules/services/kerneloops.fc b/policy/modules/services/kerneloops.fc deleted file mode 100644 index 5ef261a38..000000000 --- a/policy/modules/services/kerneloops.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0) - -/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if deleted file mode 100644 index 835b16b0f..000000000 --- a/policy/modules/services/kerneloops.if +++ /dev/null @@ -1,115 +0,0 @@ -## Service for reporting kernel oopses to kerneloops.org - -######################################## -## -## Execute a domain transition to run kerneloops. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`kerneloops_domtrans',` - gen_require(` - type kerneloops_t; - type kerneloops_exec_t; - ') - - domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) -') - -######################################## -## -## Send and receive messages from -## kerneloops over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`kerneloops_dbus_chat',` - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - allow $1 kerneloops_t:dbus send_msg; - allow kerneloops_t $1:dbus send_msg; -') - -######################################## -## -## dontaudit attempts to Send and receive messages from -## kerneloops over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`kerneloops_dontaudit_dbus_chat',` - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - dontaudit $1 kerneloops_t:dbus send_msg; - dontaudit kerneloops_t $1:dbus send_msg; -') - -######################################## -## -## Allow domain to manage kerneloops tmp files -## -## -## -## Domain allowed access. -## -## -# -interface(`kerneloops_manage_tmp_files',` - gen_require(` - type kerneloops_tmp_t; - ') - - manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) - files_search_tmp($1) -') - -######################################## -## -## All of the rules required to administrate -## an kerneloops environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the kerneloops domain. -## -## -## -# -interface(`kerneloops_admin',` - gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; - type kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; - ps_process_pattern($1, kerneloops_t) - - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, kerneloops_tmp_t) -') diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te deleted file mode 100644 index 6b355479b..000000000 --- a/policy/modules/services/kerneloops.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(kerneloops, 1.4.0) - -######################################## -# -# Declarations -# - -type kerneloops_t; -type kerneloops_exec_t; -init_daemon_domain(kerneloops_t, kerneloops_exec_t) - -type kerneloops_initrc_exec_t; -init_script_file(kerneloops_initrc_exec_t) - -type kerneloops_tmp_t; -files_tmp_file(kerneloops_tmp_t) - -######################################## -# -# kerneloops local policy -# - -allow kerneloops_t self:capability sys_nice; -allow kerneloops_t self:process { getcap setcap setsched getsched signal }; -allow kerneloops_t self:fifo_file rw_file_perms; - -manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) - -kernel_read_ring_buffer(kerneloops_t) - -# Init script handling -domain_use_interactive_fds(kerneloops_t) - -corenet_all_recvfrom_unlabeled(kerneloops_t) -corenet_all_recvfrom_netlabel(kerneloops_t) -corenet_tcp_sendrecv_generic_if(kerneloops_t) -corenet_tcp_sendrecv_generic_node(kerneloops_t) -corenet_tcp_sendrecv_all_ports(kerneloops_t) -corenet_tcp_bind_http_port(kerneloops_t) -corenet_tcp_connect_http_port(kerneloops_t) - -files_read_etc_files(kerneloops_t) - -auth_use_nsswitch(kerneloops_t) - -logging_send_syslog_msg(kerneloops_t) -logging_read_generic_logs(kerneloops_t) - -miscfiles_read_localization(kerneloops_t) - -optional_policy(` - dbus_system_domain(kerneloops_t, kerneloops_exec_t) -') diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc deleted file mode 100644 index 9c0c83541..000000000 --- a/policy/modules/services/ksmtuned.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) - -/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) - -/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if deleted file mode 100644 index 6fd0b4c09..000000000 --- a/policy/modules/services/ksmtuned.if +++ /dev/null @@ -1,74 +0,0 @@ -## Kernel Samepage Merging (KSM) Tuning Daemon - -######################################## -## -## Execute a domain transition to run ksmtuned. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ksmtuned_domtrans',` - gen_require(` - type ksmtuned_t, ksmtuned_exec_t; - ') - - domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) -') - -######################################## -## -## Execute ksmtuned server in the ksmtuned domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ksmtuned_initrc_domtrans',` - gen_require(` - type ksmtuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an ksmtuned environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ksmtuned_admin',` - gen_require(` - type ksmtuned_t, ksmtuned_var_run_t; - type ksmtuned_initrc_exec_t; - ') - - allow $1 ksmtuned_t:process { ptrace signal_perms }; - ps_process_pattern(ksmtumed_t) - - files_list_pids($1) - admin_pattern($1, ksmtuned_var_run_t) - - # Allow ksmtuned_t to restart the apache service - ksmtuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ksmtuned_initrc_exec_t system_r; - allow $2 system_r; - -') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te deleted file mode 100644 index a73b7a12f..000000000 --- a/policy/modules/services/ksmtuned.te +++ /dev/null @@ -1,39 +0,0 @@ -policy_module(ksmtuned, 1.0.0) - -######################################## -# -# Declarations -# - -type ksmtuned_t; -type ksmtuned_exec_t; -init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) - -type ksmtuned_initrc_exec_t; -init_script_file(ksmtuned_initrc_exec_t) - -type ksmtuned_var_run_t; -files_pid_file(ksmtuned_var_run_t) - -######################################## -# -# ksmtuned local policy -# - -allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; -allow ksmtuned_t self:fifo_file rw_file_perms; - -manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) -files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) - -kernel_read_system_state(ksmtuned_t) - -dev_rw_sysfs(ksmtuned_t) - -domain_read_all_domains_state(ksmtuned_t) - -corecmd_exec_bin(ksmtuned_t) - -files_read_etc_files(ksmtuned_t) - -miscfiles_read_localization(ksmtuned_t) diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc deleted file mode 100644 index 47d0bf31c..000000000 --- a/policy/modules/services/ktalk.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - -/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) -/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - -/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/policy/modules/services/ktalk.if b/policy/modules/services/ktalk.if deleted file mode 100644 index 5ba36dbf5..000000000 --- a/policy/modules/services/ktalk.if +++ /dev/null @@ -1 +0,0 @@ -## KDE Talk daemon diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te deleted file mode 100644 index ca5cfdfe1..000000000 --- a/policy/modules/services/ktalk.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(ktalk, 1.8.0) - -######################################## -# -# Declarations -# - -type ktalkd_t; -type ktalkd_exec_t; -inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) -role system_r types ktalkd_t; - -type ktalkd_log_t; -logging_log_file(ktalkd_log_t) - -type ktalkd_tmp_t; -files_tmp_file(ktalkd_tmp_t) - -type ktalkd_var_run_t; -files_pid_file(ktalkd_var_run_t) - -######################################## -# -# Local policy -# - -allow ktalkd_t self:process signal_perms; -allow ktalkd_t self:fifo_file rw_fifo_file_perms; -allow ktalkd_t self:tcp_socket connected_stream_socket_perms; -allow ktalkd_t self:udp_socket create_socket_perms; -# for identd -# cjp: this should probably only be inetd_child rules? -allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow ktalkd_t self:capability { setuid setgid }; -files_search_home(ktalkd_t) -optional_policy(` - kerberos_use(ktalkd_t) -') -#end for identd - -allow ktalkd_t ktalkd_log_t:file manage_file_perms; -logging_log_filetrans(ktalkd_t, ktalkd_log_t, file) - -manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) -manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t) -files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) - -manage_files_pattern(ktalkd_t, ktalkd_var_run_t, ktalkd_var_run_t) -files_pid_filetrans(ktalkd_t, ktalkd_var_run_t, file) - -kernel_read_kernel_sysctls(ktalkd_t) -kernel_read_system_state(ktalkd_t) -kernel_read_network_state(ktalkd_t) - -corenet_all_recvfrom_unlabeled(ktalkd_t) -corenet_all_recvfrom_netlabel(ktalkd_t) -corenet_tcp_sendrecv_generic_if(ktalkd_t) -corenet_udp_sendrecv_generic_if(ktalkd_t) -corenet_tcp_sendrecv_generic_node(ktalkd_t) -corenet_udp_sendrecv_generic_node(ktalkd_t) -corenet_tcp_sendrecv_all_ports(ktalkd_t) -corenet_udp_sendrecv_all_ports(ktalkd_t) - -dev_read_urand(ktalkd_t) - -fs_getattr_xattr_fs(ktalkd_t) - -files_read_etc_files(ktalkd_t) - -term_search_ptys(ktalkd_t) -term_use_all_terms(ktalkd_t) - -auth_use_nsswitch(ktalkd_t) - -init_read_utmp(ktalkd_t) - -logging_send_syslog_msg(ktalkd_t) - -miscfiles_read_localization(ktalkd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc deleted file mode 100644 index c62f23e3d..000000000 --- a/policy/modules/services/ldap.fc +++ /dev/null @@ -1,17 +0,0 @@ - -/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) - -/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - -ifdef(`distro_debian',` -/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -') - -/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) - -/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if deleted file mode 100644 index 3aa8fa778..000000000 --- a/policy/modules/services/ldap.if +++ /dev/null @@ -1,120 +0,0 @@ -## OpenLDAP directory server - -######################################## -## -## Read the contents of the OpenLDAP -## database directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_list_db',` - gen_require(` - type slapd_db_t; - ') - - allow $1 slapd_db_t:dir list_dir_perms; -') - -######################################## -## -## Read the OpenLDAP configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ldap_read_config',` - gen_require(` - type slapd_etc_t; - ') - - files_search_etc($1) - allow $1 slapd_etc_t:file read_file_perms; -') - -######################################## -## -## Use LDAP over TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to slapd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ldap_stream_connect',` - gen_require(` - type slapd_t, slapd_var_run_t; - ') - - files_search_pids($1) - allow $1 slapd_var_run_t:sock_file write; - allow $1 slapd_t:unix_stream_socket connectto; -') - -######################################## -## -## All of the rules required to administrate -## an ldap environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ldap domain. -## -## -## -# -interface(`ldap_admin',` - gen_require(` - type slapd_t, slapd_tmp_t, slapd_replog_t; - type slapd_lock_t, slapd_etc_t, slapd_var_run_t; - type slapd_initrc_exec_t; - ') - - allow $1 slapd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slapd_t) - - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slapd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, slapd_etc_t) - - admin_pattern($1, slapd_lock_t) - - admin_pattern($1, slapd_replog_t) - - files_list_tmp($1) - admin_pattern($1, slapd_tmp_t) - - files_list_pids($1) - admin_pattern($1, slapd_var_run_t) -') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te deleted file mode 100644 index 64fd1ff50..000000000 --- a/policy/modules/services/ldap.te +++ /dev/null @@ -1,132 +0,0 @@ -policy_module(ldap, 1.10.0) - -######################################## -# -# Declarations -# - -type slapd_t; -type slapd_exec_t; -init_daemon_domain(slapd_t, slapd_exec_t) - -type slapd_cert_t; -files_type(slapd_cert_t) - -type slapd_db_t; -files_type(slapd_db_t) - -type slapd_etc_t; -files_config_file(slapd_etc_t) - -type slapd_initrc_exec_t; -init_script_file(slapd_initrc_exec_t) - -type slapd_lock_t; -files_lock_file(slapd_lock_t) - -type slapd_replog_t; -files_type(slapd_replog_t) - -type slapd_tmp_t; -files_tmp_file(slapd_tmp_t) - -type slapd_var_run_t; -files_pid_file(slapd_var_run_t) - -######################################## -# -# Local policy -# - -# should not need kill -# cjp: why net_raw? -allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; -dontaudit slapd_t self:capability sys_tty_config; -allow slapd_t self:process setsched; -allow slapd_t self:fifo_file rw_fifo_file_perms; -allow slapd_t self:udp_socket create_socket_perms; -#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) -allow slapd_t self:tcp_socket create_stream_socket_perms; - -allow slapd_t slapd_cert_t:dir list_dir_perms; -read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) -read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) - -# Allow access to the slapd databases -manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) -manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) -manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) - -allow slapd_t slapd_etc_t:file read_file_perms; - -allow slapd_t slapd_lock_t:file manage_file_perms; -files_lock_filetrans(slapd_t, slapd_lock_t, file) - -# Allow access to write the replication log (should tighten this) -manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) - -manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) -manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) -files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) - -manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) - -kernel_read_system_state(slapd_t) -kernel_read_kernel_sysctls(slapd_t) - -corenet_all_recvfrom_unlabeled(slapd_t) -corenet_all_recvfrom_netlabel(slapd_t) -corenet_tcp_sendrecv_generic_if(slapd_t) -corenet_udp_sendrecv_generic_if(slapd_t) -corenet_tcp_sendrecv_generic_node(slapd_t) -corenet_udp_sendrecv_generic_node(slapd_t) -corenet_tcp_sendrecv_all_ports(slapd_t) -corenet_udp_sendrecv_all_ports(slapd_t) -corenet_tcp_bind_generic_node(slapd_t) -corenet_tcp_bind_ldap_port(slapd_t) -corenet_tcp_connect_all_ports(slapd_t) -corenet_sendrecv_ldap_server_packets(slapd_t) -corenet_sendrecv_all_client_packets(slapd_t) - -dev_read_urand(slapd_t) -dev_read_sysfs(slapd_t) - -fs_getattr_all_fs(slapd_t) -fs_search_auto_mountpoints(slapd_t) - -domain_use_interactive_fds(slapd_t) - -files_read_etc_files(slapd_t) -files_read_etc_runtime_files(slapd_t) -files_read_usr_files(slapd_t) -files_list_var_lib(slapd_t) - -auth_use_nsswitch(slapd_t) - -logging_send_syslog_msg(slapd_t) - -miscfiles_read_generic_certs(slapd_t) -miscfiles_read_localization(slapd_t) - -userdom_dontaudit_use_unpriv_user_fds(slapd_t) -userdom_dontaudit_search_user_home_dirs(slapd_t) - -optional_policy(` - kerberos_keytab_template(slapd, slapd_t) -') - -optional_policy(` - sasl_connect(slapd_t) -') - -optional_policy(` - seutil_sigchld_newrole(slapd_t) -') - -optional_policy(` - udev_read_db(slapd_t) -') diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc deleted file mode 100644 index 057a4e453..000000000 --- a/policy/modules/services/likewise.fc +++ /dev/null @@ -1,54 +0,0 @@ -/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) -/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0) -/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) - -/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) -/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) - -/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) -/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) -/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) -/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) -/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) -/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) -/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) -/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) - -/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) -/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) -/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) -/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) -/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) -/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) -/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0) -/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) -/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) -/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) -/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) -/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) -/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) -/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0) -/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) -/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) - -/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) -/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) -/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) -/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) -/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) -/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) - diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if deleted file mode 100644 index 771e04b6c..000000000 --- a/policy/modules/services/likewise.if +++ /dev/null @@ -1,105 +0,0 @@ -## Likewise Active Directory support for UNIX. -## -##

-## Likewise Open is a free, open source application that joins Linux, Unix, -## and Mac machines to Microsoft Active Directory to securely authenticate -## users with their domain credentials. -##

-## - -####################################### -## -## The template to define a likewise domain. -## -## -##

-## This template creates a domain to be used for -## a new likewise daemon. -##

-## -## -## -## The type of daemon to be used. -## -## -# -template(`likewise_domain_template',` - - gen_require(` - attribute likewise_domains; - type likewise_var_lib_t; - ') - - ######################################## - # - # Declarations - # - - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - domain_use_interactive_fds($1_t) - - typeattribute $1_t likewise_domains; - - type $1_var_run_t; - files_pid_file($1_var_run_t) - - type $1_var_socket_t; - files_type($1_var_socket_t) - - type $1_var_lib_t; - files_type($1_var_lib_t) - - #################################### - # - # Local Policy - # - - allow $1_t self:process { signal_perms getsched setsched }; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - - allow $1_t likewise_var_lib_t:dir setattr; - - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, file) - - manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) - - manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) - - dev_read_rand($1_t) - dev_read_urand($1_t) - - files_read_etc_files($1_t) - files_search_var_lib($1_t) - - logging_send_syslog_msg($1_t) - - miscfiles_read_localization($1_t) -') - -######################################## -## -## Connect to lsassd. -## -## -## -## Domain allowed access. -## -## -# -interface(`likewise_stream_connect_lsassd',` - gen_require(` - type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) -') diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te deleted file mode 100644 index 5ba6cc2a1..000000000 --- a/policy/modules/services/likewise.te +++ /dev/null @@ -1,238 +0,0 @@ -policy_module(likewise, 1.2.0) - -################################# -# -# Declarations -# - -attribute likewise_domains; - -type likewise_etc_t; -files_config_file(likewise_etc_t) - -type likewise_initrc_exec_t; -init_script_file(likewise_initrc_exec_t) - -type likewise_var_lib_t; -files_type(likewise_var_lib_t) - -type likewise_pstore_lock_t; -files_type(likewise_pstore_lock_t) - -type likewise_krb5_ad_t; -files_type(likewise_krb5_ad_t) - -likewise_domain_template(dcerpcd) - -likewise_domain_template(eventlogd) - -likewise_domain_template(lsassd) - -type lsassd_tmp_t; -files_tmp_file(lsassd_tmp_t) - -likewise_domain_template(lwiod) - -likewise_domain_template(lwregd) - -likewise_domain_template(lwsmd) - -likewise_domain_template(netlogond) - -likewise_domain_template(srvsvcd) - -################################# -# -# Likewise dcerpcd personal policy -# - -stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(dcerpcd_t) -corenet_all_recvfrom_unlabeled(dcerpcd_t) -corenet_sendrecv_generic_client_packets(dcerpcd_t) -corenet_sendrecv_generic_server_packets(dcerpcd_t) -corenet_tcp_sendrecv_generic_if(dcerpcd_t) -corenet_tcp_sendrecv_generic_node(dcerpcd_t) -corenet_tcp_sendrecv_generic_port(dcerpcd_t) -corenet_tcp_bind_generic_node(dcerpcd_t) -corenet_tcp_bind_epmap_port(dcerpcd_t) -corenet_tcp_connect_generic_port(dcerpcd_t) -corenet_udp_bind_generic_node(dcerpcd_t) -corenet_udp_bind_epmap_port(dcerpcd_t) -corenet_udp_sendrecv_generic_if(dcerpcd_t) -corenet_udp_sendrecv_generic_node(dcerpcd_t) -corenet_udp_sendrecv_generic_port(dcerpcd_t) - -################################# -# -# Likewise Auditing and Logging service policy -# - -stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(eventlogd_t) -corenet_all_recvfrom_unlabeled(eventlogd_t) -corenet_sendrecv_generic_server_packets(eventlogd_t) -corenet_tcp_sendrecv_generic_if(eventlogd_t) -corenet_tcp_sendrecv_generic_node(eventlogd_t) -corenet_tcp_sendrecv_generic_port(eventlogd_t) -corenet_tcp_bind_generic_node(eventlogd_t) -corenet_udp_bind_generic_node(eventlogd_t) -corenet_udp_sendrecv_generic_if(eventlogd_t) -corenet_udp_sendrecv_generic_node(eventlogd_t) -corenet_udp_sendrecv_generic_port(eventlogd_t) - -################################# -# -# Likewise Authentication service local policy -# - -allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; -allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; - -allow lsassd_t likewise_krb5_ad_t:file read_file_perms; -allow lsassd_t netlogond_var_lib_t:file read_file_perms; - -manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t) - -manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t) -files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file) - -stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) -stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) - -kernel_read_system_state(lsassd_t) -kernel_getattr_proc_files(lsassd_t) -kernel_list_all_proc(lsassd_t) -kernel_list_proc(lsassd_t) - -corecmd_exec_bin(lsassd_t) -corecmd_exec_shell(lsassd_t) - -corenet_all_recvfrom_netlabel(lsassd_t) -corenet_all_recvfrom_unlabeled(lsassd_t) -corenet_tcp_sendrecv_generic_if(lsassd_t) -corenet_tcp_sendrecv_generic_node(lsassd_t) -corenet_tcp_sendrecv_generic_port(lsassd_t) -corenet_tcp_bind_generic_node(lsassd_t) -corenet_tcp_connect_epmap_port(lsassd_t) -corenet_tcp_sendrecv_epmap_port(lsassd_t) - -domain_obj_id_change_exemption(lsassd_t) - -files_manage_etc_files(lsassd_t) -files_manage_etc_symlinks(lsassd_t) -files_manage_etc_runtime_files(lsassd_t) -files_relabelto_home(lsassd_t) - -selinux_get_fs_mount(lsassd_t) -selinux_validate_context(lsassd_t) - -seutil_read_config(lsassd_t) -seutil_read_default_contexts(lsassd_t) -seutil_read_file_contexts(lsassd_t) -seutil_run_semanage(lsassd_t, system_r) - -sysnet_use_ldap(lsassd_t) -sysnet_read_config(lsassd_t) - -userdom_home_filetrans_user_home_dir(lsassd_t) -userdom_manage_user_home_content_files(lsassd_t) - -optional_policy(` - kerberos_rw_keytab(lsassd_t) - kerberos_use(lsassd_t) -') - -################################# -# -# Likewise I/O service local policy -# - -allow lwiod_t self:capability { fowner chown fsetid dac_override }; -allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; - -allow lwiod_t likewise_krb5_ad_t:file read_file_perms; -allow lwiod_t netlogond_var_lib_t:file read_file_perms; - -stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) -stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) - -corenet_all_recvfrom_netlabel(lwiod_t) -corenet_all_recvfrom_unlabeled(lwiod_t) -corenet_sendrecv_smbd_server_packets(lwiod_t) -corenet_sendrecv_smbd_client_packets(lwiod_t) -corenet_tcp_sendrecv_generic_if(lwiod_t) -corenet_tcp_sendrecv_generic_node(lwiod_t) -corenet_tcp_sendrecv_generic_port(lwiod_t) -corenet_tcp_bind_generic_node(lwiod_t) -corenet_tcp_bind_smbd_port(lwiod_t) -corenet_tcp_connect_smbd_port(lwiod_t) - -sysnet_read_config(lwiod_t) - -optional_policy(` - kerberos_rw_config(lwiod_t) - kerberos_use(lwiod_t) -') - -################################# -# -# Likewise Service Manager service local policy -# - -allow lwsmd_t likewise_domains:process signal; - -domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t) -domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t) -domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t) -domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t) -domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t) -domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t) -domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t) - -stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -################################# -# -# Likewise DC location service local policy -# - -allow netlogond_t self:capability {dac_override}; - -manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) - -stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -sysnet_dns_name_resolve(netlogond_t) -sysnet_use_ldap(netlogond_t) - -################################# -# -# Likewise Srv service local policy -# - -allow srvsvcd_t likewise_etc_t:dir search_dir_perms; - -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) -stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - -corenet_all_recvfrom_netlabel(srvsvcd_t) -corenet_all_recvfrom_unlabeled(srvsvcd_t) -corenet_sendrecv_generic_server_packets(srvsvcd_t) -corenet_tcp_sendrecv_generic_if(srvsvcd_t) -corenet_tcp_sendrecv_generic_node(srvsvcd_t) -corenet_tcp_sendrecv_generic_port(srvsvcd_t) -corenet_tcp_bind_generic_node(srvsvcd_t) - -optional_policy(` - kerberos_use(srvsvcd_t) -') diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc deleted file mode 100644 index 49e04e589..000000000 --- a/policy/modules/services/lircd.fc +++ /dev/null @@ -1,10 +0,0 @@ -/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0) - -/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) -/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) - -/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) - -/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if deleted file mode 100644 index 418cc8110..000000000 --- a/policy/modules/services/lircd.if +++ /dev/null @@ -1,96 +0,0 @@ -## Linux infared remote control daemon - -######################################## -## -## Execute a domain transition to run lircd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lircd_domtrans',` - gen_require(` - type lircd_t, lircd_exec_t; - ') - - domain_auto_trans($1, lircd_exec_t, lircd_t) - -') - -###################################### -## -## Connect to lircd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`lircd_stream_connect',` - gen_require(` - type lircd_var_run_t, lircd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) -') - -####################################### -## -## Read lircd etc file -## -## -## -## Domain allowed access. -## -## -# -interface(`lircd_read_config',` - gen_require(` - type lircd_etc_t; - ') - - read_files_pattern($1, lircd_etc_t, lircd_etc_t) -') - -######################################## -## -## All of the rules required to administrate -## a lircd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`lircd_admin',` - gen_require(` - type lircd_t, lircd_var_run_t; - type lircd_initrc_exec_t, lircd_etc_t; - ') - - allow $1 lircd_t:process { ptrace signal_perms }; - ps_process_pattern($1, lircd_t) - - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lircd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, lircd_etc_t) - - files_search_pids($1) - admin_pattern($1, lircd_var_run_t) -') diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te deleted file mode 100644 index 6a78de1e7..000000000 --- a/policy/modules/services/lircd.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(lircd, 1.1.0) - -######################################## -# -# Declarations -# - -type lircd_t; -type lircd_exec_t; -init_daemon_domain(lircd_t, lircd_exec_t) - -type lircd_initrc_exec_t; -init_script_file(lircd_initrc_exec_t) - -type lircd_etc_t; -files_type(lircd_etc_t) - -type lircd_var_run_t alias lircd_sock_t; -files_pid_file(lircd_var_run_t) - -######################################## -# -# lircd local policy -# - -allow lircd_t self:capability { chown kill sys_admin }; -allow lircd_t self:fifo_file rw_fifo_file_perms; -allow lircd_t self:unix_dgram_socket create_socket_perms; -allow lircd_t self:tcp_socket create_stream_socket_perms; - -# etc file -read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) - -manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) -# /dev/lircd socket -dev_filetrans(lircd_t, lircd_var_run_t, sock_file) - -corenet_tcp_sendrecv_generic_if(lircd_t) -corenet_tcp_bind_generic_node(lircd_t) -corenet_tcp_bind_lirc_port(lircd_t) -corenet_tcp_sendrecv_all_ports(lircd_t) -corenet_tcp_connect_lirc_port(lircd_t) - -dev_read_generic_usb_dev(lircd_t) -dev_read_mouse(lircd_t) -dev_filetrans_lirc(lircd_t) -dev_rw_lirc(lircd_t) -dev_rw_input_dev(lircd_t) - -files_read_etc_files(lircd_t) -files_list_var(lircd_t) -files_manage_generic_locks(lircd_t) -files_read_all_locks(lircd_t) - -term_use_ptmx(lircd_t) - -logging_send_syslog_msg(lircd_t) - -miscfiles_read_localization(lircd_t) - -sysnet_dns_name_resolve(lircd_t) diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc deleted file mode 100644 index 5c9eb6839..000000000 --- a/policy/modules/services/lpd.fc +++ /dev/null @@ -1,37 +0,0 @@ -# -# /dev -# -/dev/printer -s gen_context(system_u:object_r:printer_t,s0) - -/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) - -# -# /usr -# -/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) -/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) -/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - -/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) - -# -# /var -# -/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) -/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if deleted file mode 100644 index a4f32f54a..000000000 --- a/policy/modules/services/lpd.if +++ /dev/null @@ -1,214 +0,0 @@ -## Line printer daemon - -######################################## -## -## Role access for lpd -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`lpd_role',` - gen_require(` - type lpr_t, lpr_exec_t, print_spool_t; - ') - - role $1 types lpr_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, lpr_exec_t, lpr_t) - dontaudit lpr_t $2:unix_stream_socket { read write }; - - ps_process_pattern($2, lpr_t) - allow $2 lpr_t:process signull; - - optional_policy(` - cups_read_config($2) - ') -') - -######################################## -## -## Execute lpd in the lpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lpd_domtrans_checkpc',` - gen_require(` - type checkpc_t, checkpc_exec_t; - ') - - domtrans_pattern($1, checkpc_exec_t, checkpc_t) -') - -######################################## -## -## Execute amrecover in the lpd domain, and -## allow the specified role the lpd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`lpd_run_checkpc',` - gen_require(` - type checkpc_t; - ') - - lpd_domtrans_checkpc($1) - role $2 types checkpc_t; -') - -######################################## -## -## List the contents of the printer spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_list_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:dir list_dir_perms; -') - -######################################## -## -## Read the printer spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_read_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, print_spool_t, print_spool_t) -') - -######################################## -## -## Create, read, write, and delete printer spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_manage_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, print_spool_t, print_spool_t) - manage_files_pattern($1, print_spool_t, print_spool_t) - manage_lnk_files_pattern($1, print_spool_t, print_spool_t) -') - -######################################## -## -## Relabel from and to the spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_relabel_spool',` - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:file { relabelto relabelfrom }; -') - -######################################## -## -## List the contents of the printer spool directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`lpd_read_config',` - gen_require(` - type printconf_t; - ') - - allow $1 printconf_t:dir list_dir_perms; - read_files_pattern($1, printconf_t, printconf_t) -') - -######################################## -## -## Transition to a user lpr domain. -## -## -## -## Domain allowed to transition. -## -## -# -template(`lpd_domtrans_lpr',` - gen_require(` - type lpr_t, lpr_exec_t; - ') - - domtrans_pattern($1, lpr_exec_t, lpr_t) -') - -######################################## -## -## Allow the specified domain to execute lpr -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`lpd_exec_lpr',` - gen_require(` - type lpr_exec_t; - ') - - can_exec($1, lpr_exec_t) -') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te deleted file mode 100644 index 93c14ca4e..000000000 --- a/policy/modules/services/lpd.te +++ /dev/null @@ -1,330 +0,0 @@ -policy_module(lpd, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Use lpd server instead of cups -##

-## -gen_tunable(use_lpd_server, false) - -type checkpc_t; -type checkpc_exec_t; -init_system_domain(checkpc_t, checkpc_exec_t) -role system_r types checkpc_t; - -type checkpc_log_t; -logging_log_file(checkpc_log_t) - -type lpd_t; -type lpd_exec_t; -init_daemon_domain(lpd_t, lpd_exec_t) - -type lpd_tmp_t; -files_tmp_file(lpd_tmp_t) - -type lpd_var_run_t; -files_pid_file(lpd_var_run_t) - -type lpr_t; -type lpr_exec_t; -typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t }; -typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t }; -application_domain(lpr_t, lpr_exec_t) -ubac_constrained(lpr_t) - -type lpr_tmp_t; -typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t }; -typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t }; -files_tmp_file(lpr_tmp_t) -ubac_constrained(lpr_tmp_t) - -# Type for spool files. -type print_spool_t; -typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; -typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; -files_type(print_spool_t) -ubac_constrained(print_spool_t) - -type printer_t; -files_type(printer_t) - -type printconf_t; -files_type(printconf_t) - -######################################## -# -# Checkpc local policy -# - -# Allow checkpc to access the lpd spool so it can check & fix it. -# This requires that /usr/sbin/checkpc have type checkpc_t. - -allow checkpc_t self:capability { setgid setuid dac_override }; -allow checkpc_t self:process signal_perms; -allow checkpc_t self:unix_stream_socket create_socket_perms; -allow checkpc_t self:tcp_socket create_socket_perms; -allow checkpc_t self:udp_socket create_socket_perms; - -allow checkpc_t checkpc_log_t:file manage_file_perms; -logging_log_filetrans(checkpc_t, checkpc_log_t, file) - -allow checkpc_t lpd_var_run_t:dir search_dir_perms; -files_search_pids(checkpc_t) - -rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) -delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) -files_search_spool(checkpc_t) - -allow checkpc_t printconf_t:file getattr; -allow checkpc_t printconf_t:dir list_dir_perms; - -kernel_read_system_state(checkpc_t) - -corenet_all_recvfrom_unlabeled(checkpc_t) -corenet_all_recvfrom_netlabel(checkpc_t) -corenet_tcp_sendrecv_generic_if(checkpc_t) -corenet_udp_sendrecv_generic_if(checkpc_t) -corenet_tcp_sendrecv_generic_node(checkpc_t) -corenet_udp_sendrecv_generic_node(checkpc_t) -corenet_tcp_sendrecv_all_ports(checkpc_t) -corenet_udp_sendrecv_all_ports(checkpc_t) -corenet_tcp_connect_all_ports(checkpc_t) -corenet_sendrecv_all_client_packets(checkpc_t) - -dev_append_printer(checkpc_t) - -# This is less desirable, but checkpc demands /bin/bash and /bin/chown: -corecmd_exec_shell(checkpc_t) -corecmd_exec_bin(checkpc_t) - -domain_use_interactive_fds(checkpc_t) - -files_read_etc_files(checkpc_t) -files_read_etc_runtime_files(checkpc_t) - -init_use_script_ptys(checkpc_t) -# Allow access to /dev/console through the fd: -init_use_fds(checkpc_t) - -sysnet_read_config(checkpc_t) - -userdom_use_user_terminals(checkpc_t) - -optional_policy(` - cron_system_entry(checkpc_t, checkpc_exec_t) -') - -optional_policy(` - logging_send_syslog_msg(checkpc_t) -') - -optional_policy(` - nis_use_ypbind(checkpc_t) -') - -######################################## -# -# Lpd local policy -# - -allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; -dontaudit lpd_t self:capability sys_tty_config; -allow lpd_t self:process signal_perms; -allow lpd_t self:fifo_file rw_fifo_file_perms; -allow lpd_t self:unix_stream_socket create_stream_socket_perms; -allow lpd_t self:unix_dgram_socket create_socket_perms; -allow lpd_t self:tcp_socket create_stream_socket_perms; -allow lpd_t self:udp_socket create_stream_socket_perms; - -manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) -manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) -files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) - -manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -files_pid_filetrans(lpd_t, lpd_var_run_t, file) - -# Write to /var/spool/lpd. -manage_files_pattern(lpd_t, print_spool_t, print_spool_t) -files_search_spool(lpd_t) - -# lpd must be able to execute the filter utilities in /usr/share/printconf. -allow lpd_t printconf_t:dir list_dir_perms; -can_exec(lpd_t, printconf_t) - -# Create and bind to /dev/printer. -allow lpd_t printer_t:lnk_file manage_lnk_file_perms; -dev_filetrans(lpd_t, printer_t, lnk_file) - -kernel_read_kernel_sysctls(lpd_t) -# bash wants access to /proc/meminfo -kernel_read_system_state(lpd_t) - -corenet_all_recvfrom_unlabeled(lpd_t) -corenet_all_recvfrom_netlabel(lpd_t) -corenet_tcp_sendrecv_generic_if(lpd_t) -corenet_udp_sendrecv_generic_if(lpd_t) -corenet_tcp_sendrecv_generic_node(lpd_t) -corenet_udp_sendrecv_generic_node(lpd_t) -corenet_tcp_sendrecv_all_ports(lpd_t) -corenet_udp_sendrecv_all_ports(lpd_t) -corenet_tcp_bind_generic_node(lpd_t) -corenet_tcp_bind_printer_port(lpd_t) -corenet_sendrecv_printer_server_packets(lpd_t) - -dev_read_sysfs(lpd_t) -dev_rw_printer(lpd_t) - -fs_getattr_all_fs(lpd_t) -fs_search_auto_mountpoints(lpd_t) - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -corecmd_exec_bin(lpd_t) -corecmd_exec_shell(lpd_t) - -domain_use_interactive_fds(lpd_t) - -files_read_etc_runtime_files(lpd_t) -files_read_usr_files(lpd_t) -# for defoma -files_list_world_readable(lpd_t) -files_read_world_readable_files(lpd_t) -files_read_world_readable_symlinks(lpd_t) -files_list_var_lib(lpd_t) -files_read_var_lib_files(lpd_t) -files_read_var_lib_symlinks(lpd_t) -# config files for lpd are of type etc_t, probably should change this -files_read_etc_files(lpd_t) - -logging_send_syslog_msg(lpd_t) - -miscfiles_read_fonts(lpd_t) -miscfiles_read_localization(lpd_t) - -sysnet_read_config(lpd_t) - -userdom_dontaudit_use_unpriv_user_fds(lpd_t) -userdom_dontaudit_search_user_home_dirs(lpd_t) - -optional_policy(` - nis_use_ypbind(lpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(lpd_t) -') - -optional_policy(` - udev_read_db(lpd_t) -') - -############################## -# -# Local policy -# - -allow lpr_t self:capability { setuid dac_override net_bind_service chown }; -allow lpr_t self:unix_stream_socket create_stream_socket_perms; -allow lpr_t self:tcp_socket create_socket_perms; -allow lpr_t self:udp_socket create_socket_perms; - -can_exec(lpr_t, lpr_exec_t) - -# Allow lpd to read, rename, and unlink spool files. -allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; - -kernel_read_kernel_sysctls(lpr_t) - -corenet_all_recvfrom_unlabeled(lpr_t) -corenet_all_recvfrom_netlabel(lpr_t) -corenet_tcp_sendrecv_generic_if(lpr_t) -corenet_udp_sendrecv_generic_if(lpr_t) -corenet_tcp_sendrecv_generic_node(lpr_t) -corenet_udp_sendrecv_generic_node(lpr_t) -corenet_tcp_sendrecv_all_ports(lpr_t) -corenet_udp_sendrecv_all_ports(lpr_t) -corenet_tcp_connect_all_ports(lpr_t) -corenet_sendrecv_all_client_packets(lpr_t) - -dev_read_rand(lpr_t) -dev_read_urand(lpr_t) - -domain_use_interactive_fds(lpr_t) - -files_search_spool(lpr_t) -# for lpd config files (should have a new type) -files_read_etc_files(lpr_t) -# for test print -files_read_usr_files(lpr_t) -#Added to cover read_content macro -files_list_home(lpr_t) -files_read_generic_tmp_files(lpr_t) - -fs_getattr_xattr_fs(lpr_t) - -# Access the terminal. -term_use_controlling_term(lpr_t) -term_use_generic_ptys(lpr_t) - -auth_use_nsswitch(lpr_t) - -miscfiles_read_localization(lpr_t) - -userdom_read_user_tmp_symlinks(lpr_t) -# Write to the user domain tty. -userdom_use_user_terminals(lpr_t) -userdom_read_user_home_content_files(lpr_t) -userdom_read_user_tmp_files(lpr_t) - -tunable_policy(`use_lpd_server',` - # lpr can run in lightweight mode, without a local print spooler. - allow lpr_t lpd_var_run_t:dir search; - allow lpr_t lpd_var_run_t:sock_file write; - files_read_var_files(lpr_t) - - # Connect to lpd via a Unix domain socket. - allow lpr_t printer_t:sock_file rw_sock_file_perms; - allow lpr_t lpd_t:unix_stream_socket connectto; - # Send SIGHUP to lpd. - allow lpr_t lpd_t:process signal; - - manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir }) - - manage_files_pattern(lpr_t, print_spool_t, print_spool_t) - filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file) - # Read and write shared files in the spool directory. - allow lpr_t print_spool_t:file rw_file_perms; - - allow lpr_t printconf_t:dir list_dir_perms; - read_files_pattern(lpr_t, printconf_t, printconf_t) - read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints(lpr_t) - fs_read_nfs_files(lpr_t) - fs_read_nfs_symlinks(lpr_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_auto_mountpoints(lpr_t) - fs_read_cifs_files(lpr_t) - fs_read_cifs_symlinks(lpr_t) -') - -optional_policy(` - cups_read_config(lpr_t) - cups_stream_connect(lpr_t) - cups_read_pid_files(lpr_t) -') - -optional_policy(` - logging_send_syslog_msg(lpr_t) -') diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc deleted file mode 100644 index 14ad1896c..000000000 --- a/policy/modules/services/mailman.fc +++ /dev/null @@ -1,34 +0,0 @@ -/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) - -/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) -/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) -/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) -/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0) -/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) - -# -# distro_debian -# -ifdef(`distro_debian', ` -/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) - -/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -') - -# -# distro_redhat -# -ifdef(`distro_redhat', ` -/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - -/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - -/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) -') diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if deleted file mode 100644 index 67c7fddfa..000000000 --- a/policy/modules/services/mailman.if +++ /dev/null @@ -1,352 +0,0 @@ -## Mailman is for managing electronic mail discussion and e-newsletter lists - -####################################### -## -## The template to define a mailmain domain. -## -## -##

-## This template creates a domain to be used for -## a new mailman daemon. -##

-## -## -## -## The type of daemon to be used eg, cgi would give mailman_cgi_ -## -## -# -template(`mailman_domain_template', ` - type mailman_$1_t; - domain_type(mailman_$1_t) - role system_r types mailman_$1_t; - - type mailman_$1_exec_t; - domain_entry_file(mailman_$1_t, mailman_$1_exec_t) - - type mailman_$1_tmp_t; - files_tmp_file(mailman_$1_tmp_t) - - allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; - allow mailman_$1_t self:tcp_socket create_stream_socket_perms; - allow mailman_$1_t self:udp_socket create_socket_perms; - - files_search_spool(mailman_$1_t) - - manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) - manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) - manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) - - manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - - manage_files_pattern(mailman_$1_t, mailman_lock_t, mailman_lock_t) - files_lock_filetrans(mailman_$1_t, mailman_lock_t, file) - - manage_files_pattern(mailman_$1_t, mailman_log_t, mailman_log_t) - logging_log_filetrans(mailman_$1_t, mailman_log_t, file) - - manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) - - kernel_read_kernel_sysctls(mailman_$1_t) - kernel_read_system_state(mailman_$1_t) - - corenet_all_recvfrom_unlabeled(mailman_$1_t) - corenet_all_recvfrom_netlabel(mailman_$1_t) - corenet_tcp_sendrecv_generic_if(mailman_$1_t) - corenet_udp_sendrecv_generic_if(mailman_$1_t) - corenet_raw_sendrecv_generic_if(mailman_$1_t) - corenet_tcp_sendrecv_generic_node(mailman_$1_t) - corenet_udp_sendrecv_generic_node(mailman_$1_t) - corenet_raw_sendrecv_generic_node(mailman_$1_t) - corenet_tcp_sendrecv_all_ports(mailman_$1_t) - corenet_udp_sendrecv_all_ports(mailman_$1_t) - corenet_tcp_bind_generic_node(mailman_$1_t) - corenet_udp_bind_generic_node(mailman_$1_t) - corenet_tcp_connect_smtp_port(mailman_$1_t) - corenet_sendrecv_smtp_client_packets(mailman_$1_t) - - fs_getattr_xattr_fs(mailman_$1_t) - - corecmd_exec_all_executables(mailman_$1_t) - - files_exec_etc_files(mailman_$1_t) - files_list_usr(mailman_$1_t) - files_list_var(mailman_$1_t) - files_list_var_lib(mailman_$1_t) - files_read_var_lib_symlinks(mailman_$1_t) - files_read_etc_runtime_files(mailman_$1_t) - - auth_use_nsswitch(mailman_$1_t) - - libs_exec_ld_so(mailman_$1_t) - libs_exec_lib_files(mailman_$1_t) - - logging_send_syslog_msg(mailman_$1_t) - - miscfiles_read_localization(mailman_$1_t) -') - -####################################### -## -## Execute mailman in the mailman domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mailman_domtrans',` - gen_require(` - type mailman_mail_exec_t, mailman_mail_t; - ') - - domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) -') - -####################################### -## -## Execute mailman CGI scripts in the -## mailman CGI domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mailman_domtrans_cgi',` - gen_require(` - type mailman_cgi_exec_t, mailman_cgi_t; - ') - - domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) -') - -####################################### -## -## Execute mailman in the caller domain. -## -## -## -## Domain allowd access. -## -## -# -interface(`mailman_exec',` - gen_require(` - type mailman_mail_exec_t; - ') - - can_exec($1, mailman_mail_exec_t) -') - -####################################### -## -## Send generic signals to the mailman cgi domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_signal_cgi',` - gen_require(` - type mailman_cgi_t; - ') - - allow $1 mailman_cgi_t:process signal; -') - -####################################### -## -## Allow domain to search data directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_search_data',` - gen_require(` - type mailman_data_t; - ') - - allow $1 mailman_data_t:dir search_dir_perms; -') - -####################################### -## -## Allow domain to to read mailman data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_data_files',` - gen_require(` - type mailman_data_t; - ') - - list_dirs_pattern($1, mailman_data_t, mailman_data_t) - read_files_pattern($1, mailman_data_t, mailman_data_t) - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## -## Allow domain to to create mailman data files -## and write the directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_manage_data_files',` - gen_require(` - type mailman_data_t; - ') - - manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## -## List the contents of mailman data directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_list_data',` - gen_require(` - type mailman_data_t; - ') - - allow $1 mailman_data_t:dir list_dir_perms; -') - -####################################### -## -## Allow read acces to mailman data symbolic links. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_data_symlinks',` - gen_require(` - type mailman_data_t; - ') - - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -') - -####################################### -## -## Read mailman logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_log',` - gen_require(` - type mailman_log_t; - ') - - read_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## -## Append to mailman logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_append_log',` - gen_require(` - type mailman_log_t; - ') - - append_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## -## Create, read, write, and delete -## mailman logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_manage_log',` - gen_require(` - type mailman_log_t; - ') - - manage_files_pattern($1, mailman_log_t, mailman_log_t) - manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) -') - -####################################### -## -## Allow domain to read mailman archive files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mailman_read_archive',` - gen_require(` - type mailman_archive_t; - ') - - allow $1 mailman_archive_t:dir list_dir_perms; - read_files_pattern($1, mailman_archive_t, mailman_archive_t) - read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) -') - -####################################### -## -## Execute mailman_queue in the mailman_queue domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mailman_domtrans_queue',` - gen_require(` - type mailman_queue_exec_t, mailman_queue_t; - ') - - domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) -') diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te deleted file mode 100644 index af4d5728a..000000000 --- a/policy/modules/services/mailman.te +++ /dev/null @@ -1,128 +0,0 @@ -policy_module(mailman, 1.8.0) - -######################################## -# -# Declarations -# - -mailman_domain_template(cgi) - -type mailman_data_t; -files_type(mailman_data_t) - -type mailman_archive_t; -files_type(mailman_archive_t) - -type mailman_log_t; -logging_log_file(mailman_log_t) - -type mailman_lock_t; -files_lock_file(mailman_lock_t) - -mailman_domain_template(mail) -init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) - -mailman_domain_template(queue) - -######################################## -# -# Mailman CGI local policy -# - -# cjp: the template invocation for cgi should be -# in the below optional policy; however, there are no -# optionals for file contexts yet, so it is promoted -# to global scope until such facilities exist. - -optional_policy(` - dev_read_urand(mailman_cgi_t) - - manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) - manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) - manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t) - - files_search_spool(mailman_cgi_t) - - term_use_controlling_term(mailman_cgi_t) - - # for python pre-compile foolishness - libs_dontaudit_write_lib_dirs(mailman_cgi_t) - - apache_sigchld(mailman_cgi_t) - apache_use_fds(mailman_cgi_t) - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) - apache_read_config(mailman_cgi_t) - apache_dontaudit_rw_stream_sockets(mailman_cgi_t) -') - -######################################## -# -# Mailman mail local policy -# - -allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -allow mailman_mail_t self:process { signal signull }; -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; - -manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) - -files_search_spool(mailman_mail_t) - -fs_rw_anon_inodefs_files(mailman_mail_t) - -mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -mta_dontaudit_rw_queue(mailman_mail_t) - -optional_policy(` - courier_read_spool(mailman_mail_t) -') - -optional_policy(` - cron_read_pipes(mailman_mail_t) -') - -optional_policy(` - postfix_search_spool(mailman_mail_t) -') - -######################################## -# -# Mailman queue local policy -# - -allow mailman_queue_t self:capability { setgid setuid }; -allow mailman_queue_t self:process signal; -allow mailman_queue_t self:fifo_file rw_fifo_file_perms; -allow mailman_queue_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) -manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) -manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) - -kernel_read_proc_symlinks(mailman_queue_t) - -auth_domtrans_chk_passwd(mailman_queue_t) - -files_dontaudit_search_pids(mailman_queue_t) - -# for su -seutil_dontaudit_search_config(mailman_queue_t) - -# some of the following could probably be changed to dontaudit, someone who -# knows mailman well should test this out and send the changes -userdom_search_user_home_dirs(mailman_queue_t) - -optional_policy(` - apache_read_config(mailman_queue_t) -') - -optional_policy(` - cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -') - -optional_policy(` - su_exec(mailman_queue_t) -') \ No newline at end of file diff --git a/policy/modules/services/mediawiki.fc b/policy/modules/services/mediawiki.fc deleted file mode 100644 index a78b34aea..000000000 --- a/policy/modules/services/mediawiki.fc +++ /dev/null @@ -1,8 +0,0 @@ -/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) - -/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) - -/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) -/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) diff --git a/policy/modules/services/mediawiki.if b/policy/modules/services/mediawiki.if deleted file mode 100644 index 98d28b424..000000000 --- a/policy/modules/services/mediawiki.if +++ /dev/null @@ -1 +0,0 @@ -## Mediawiki policy diff --git a/policy/modules/services/mediawiki.te b/policy/modules/services/mediawiki.te deleted file mode 100644 index d7cb9e4c4..000000000 --- a/policy/modules/services/mediawiki.te +++ /dev/null @@ -1,17 +0,0 @@ -policy_module(mediawiki, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(mediawiki) - -######################################## -# -# mediawiki local policy -# - -files_search_var_lib(httpd_mediawiki_script_t) - -miscfiles_read_tetex_data(httpd_mediawiki_script_t) diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc deleted file mode 100644 index 4d6947753..000000000 --- a/policy/modules/services/memcached.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0) - -/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) - -/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if deleted file mode 100644 index db4fd6fbc..000000000 --- a/policy/modules/services/memcached.if +++ /dev/null @@ -1,73 +0,0 @@ -## high-performance memory object caching system - -######################################## -## -## Execute a domain transition to run memcached. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`memcached_domtrans',` - gen_require(` - type memcached_t; - type memcached_exec_t; - ') - - domtrans_pattern($1, memcached_exec_t, memcached_t) -') - -######################################## -## -## Read memcached PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`memcached_read_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) - allow $1 memcached_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an memcached environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the memcached domain. -## -## -## -# -interface(`memcached_admin',` - gen_require(` - type memcached_t; - type memcached_initrc_exec_t; - ') - - allow $1 memcached_t:process { ptrace signal_perms }; - ps_process_pattern($1, memcached_t) - - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 memcached_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, memcached_var_run_t) -') diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te deleted file mode 100644 index b6816087f..000000000 --- a/policy/modules/services/memcached.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(memcached, 1.2.0) - -######################################## -# -# Declarations -# - -type memcached_t; -type memcached_exec_t; -init_daemon_domain(memcached_t, memcached_exec_t) - -type memcached_initrc_exec_t; -init_script_file(memcached_initrc_exec_t) - -type memcached_var_run_t; -files_pid_file(memcached_var_run_t) - -######################################## -# -# memcached local policy -# - -allow memcached_t self:capability { setuid setgid }; -dontaudit memcached_t self:capability sys_tty_config; -allow memcached_t self:process { setrlimit signal_perms }; -allow memcached_t self:tcp_socket create_stream_socket_perms; -allow memcached_t self:udp_socket { create_socket_perms listen }; -allow memcached_t self:fifo_file rw_fifo_file_perms; -allow memcached_t self:unix_stream_socket create_stream_socket_perms; - -corenet_all_recvfrom_unlabeled(memcached_t) -corenet_udp_sendrecv_generic_if(memcached_t) -corenet_udp_sendrecv_generic_node(memcached_t) -corenet_udp_sendrecv_all_ports(memcached_t) -corenet_udp_bind_generic_node(memcached_t) -corenet_tcp_sendrecv_generic_if(memcached_t) -corenet_tcp_sendrecv_generic_node(memcached_t) -corenet_tcp_sendrecv_all_ports(memcached_t) -corenet_tcp_bind_generic_node(memcached_t) -corenet_tcp_bind_memcache_port(memcached_t) -corenet_udp_bind_memcache_port(memcached_t) - -manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(memcached_t) -kernel_read_system_state(memcached_t) - -files_read_etc_files(memcached_t) - -term_dontaudit_use_all_ptys(memcached_t) -term_dontaudit_use_all_ttys(memcached_t) -term_dontaudit_use_console(memcached_t) - -auth_use_nsswitch(memcached_t) - -miscfiles_read_localization(memcached_t) diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc deleted file mode 100644 index 55a3e2f8a..000000000 --- a/policy/modules/services/milter.fc +++ /dev/null @@ -1,13 +0,0 @@ -/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) -/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) - -/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) - -/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) - -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if deleted file mode 100644 index ed1af3c02..000000000 --- a/policy/modules/services/milter.if +++ /dev/null @@ -1,102 +0,0 @@ -## Milter mail filters - -######################################## -## -## Create a set of derived types for various -## mail filter applications using the milter interface. -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`milter_template',` - # attributes common to all milters - gen_require(` - attribute milter_data_type, milter_domains; - ') - - type $1_milter_t, milter_domains; - type $1_milter_exec_t; - init_daemon_domain($1_milter_t, $1_milter_exec_t) - role system_r types $1_milter_t; - - # Type for the milter data (e.g. the socket used to communicate with the MTA) - type $1_milter_data_t, milter_data_type; - files_type($1_milter_data_t) - - allow $1_milter_t self:fifo_file rw_fifo_file_perms; - - # Allow communication with MTA over a unix-domain socket - # Note: usage with TCP sockets requires additional policy - manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - - # Create other data files and directories in the data directory - manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - - files_read_etc_files($1_milter_t) - - miscfiles_read_localization($1_milter_t) - - logging_send_syslog_msg($1_milter_t) -') - -######################################## -## -## MTA communication with milter sockets -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_stream_connect_all',` - gen_require(` - attribute milter_data_type, milter_domains; - ') - - getattr_dirs_pattern($1, milter_data_type, milter_data_type) - stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) -') - -######################################## -## -## Allow getattr of milter sockets -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_getattr_all_sockets',` - gen_require(` - attribute milter_data_type; - ') - - getattr_dirs_pattern($1, milter_data_type, milter_data_type) - getattr_sock_files_pattern($1, milter_data_type, milter_data_type) -') - -######################################## -## -## Manage spamassassin milter state -## -## -## -## Domain allowed access. -## -## -# -interface(`milter_manage_spamass_state',` - gen_require(` - type spamass_milter_state_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) -') diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te deleted file mode 100644 index 47e361243..000000000 --- a/policy/modules/services/milter.te +++ /dev/null @@ -1,96 +0,0 @@ -policy_module(milter, 1.3.0) - -######################################## -# -# Declarations -# - -# attributes common to all milters -attribute milter_domains; -attribute milter_data_type; - -# currently-supported milters are milter-greylist, milter-regex and spamass-milter -milter_template(greylist) -milter_template(regex) -milter_template(spamass) - -# Type for the spamass-milter home directory, under which spamassassin will -# store system-wide preferences, bayes databases etc. if not configured to -# use per-user configuration -type spamass_milter_state_t; -files_type(spamass_milter_state_t) - -######################################## -# -# milter-greylist local policy -# ensure smtp clients retry mail like real MTAs and not spamware -# http://hcpnet.free.fr/milter-greylist/ -# - -# It removes any existing socket (not owned by root) whilst running as root, -# fixes permissions, renices itself and then calls setgid() and setuid() to -# drop privileges -allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; -allow greylist_milter_t self:process { setsched getsched }; - -# It creates a pid file /var/run/milter-greylist.pid -files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) - -kernel_read_kernel_sysctls(greylist_milter_t) - -# Allow the milter to read a GeoIP database in /usr/share -files_read_usr_files(greylist_milter_t) -# The milter runs from /var/lib/milter-greylist and maintains files there -files_search_var_lib(greylist_milter_t) - -# Look up username for dropping privs -auth_use_nsswitch(greylist_milter_t) - -# Config is in /etc/mail/greylist.conf -mta_read_config(greylist_milter_t) - -######################################## -# -# milter-regex local policy -# filter emails using regular expressions -# http://www.benzedrine.cx/milter-regex.html -# - -# It removes any existing socket (not owned by root) whilst running as root -# and then calls setgid() and setuid() to drop privileges -allow regex_milter_t self:capability { setuid setgid dac_override }; - -# The milter's socket directory lives under /var/spool -files_search_spool(regex_milter_t) - -# Look up username for dropping privs -auth_use_nsswitch(regex_milter_t) - -# Config is in /etc/mail/milter-regex.conf -mta_read_config(regex_milter_t) - -######################################## -# -# spamass-milter local policy -# pipe emails through SpamAssassin -# http://savannah.nongnu.org/projects/spamass-milt/ -# - -# The milter runs from /var/lib/spamass-milter -allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; -files_search_var_lib(spamass_milter_t) - -kernel_read_system_state(spamass_milter_t) - -# When used with -b or -B options, the milter invokes sendmail to send mail -# to a spamtrap address, using popen() -corecmd_exec_shell(spamass_milter_t) -corecmd_read_bin_symlinks(spamass_milter_t) -corecmd_search_bin(spamass_milter_t) - -mta_send_mail(spamass_milter_t) - -# The main job of the milter is to pipe spam through spamc and act on the result -optional_policy(` - spamassassin_domtrans_client(spamass_milter_t) -') diff --git a/policy/modules/services/modemmanager.fc b/policy/modules/services/modemmanager.fc deleted file mode 100644 index a83894c6e..000000000 --- a/policy/modules/services/modemmanager.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if deleted file mode 100644 index 336869915..000000000 --- a/policy/modules/services/modemmanager.if +++ /dev/null @@ -1,40 +0,0 @@ -## Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards. - -######################################## -## -## Execute a domain transition to run modemmanager. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modemmanager_domtrans',` - gen_require(` - type modemmanager_t, modemmanager_exec_t; - ') - - domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) -') - -######################################## -## -## Send and receive messages from -## modemmanager over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`modemmanager_dbus_chat',` - gen_require(` - type modemmanager_t; - class dbus send_msg; - ') - - allow $1 modemmanager_t:dbus send_msg; - allow modemmanager_t $1:dbus send_msg; -') diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te deleted file mode 100644 index b3ace1618..000000000 --- a/policy/modules/services/modemmanager.te +++ /dev/null @@ -1,41 +0,0 @@ -policy_module(modemmanager, 1.1.0) - -######################################## -# -# Declarations -# - -type modemmanager_t; -type modemmanager_exec_t; -dbus_system_domain(modemmanager_t, modemmanager_exec_t) -typealias modemmanager_t alias ModemManager_t; -typealias modemmanager_exec_t alias ModemManager_exec_t; - -######################################## -# -# ModemManager local policy -# - -allow modemmanager_t self:process signal; -allow modemmanager_t self:fifo_file rw_file_perms; -allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; -allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; - -kernel_read_system_state(modemmanager_t) - -dev_read_sysfs(modemmanager_t) -dev_rw_modem(modemmanager_t) - -files_read_etc_files(modemmanager_t) - -term_use_unallocated_ttys(modemmanager_t) - -miscfiles_read_localization(modemmanager_t) - -logging_send_syslog_msg(modemmanager_t) - -networkmanager_dbus_chat(modemmanager_t) - -optional_policy(` - udev_read_db(modemmanager_t) -') diff --git a/policy/modules/services/mojomojo.fc b/policy/modules/services/mojomojo.fc deleted file mode 100644 index 824c97938..000000000 --- a/policy/modules/services/mojomojo.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) - -/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) - -/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if deleted file mode 100644 index 657a9fc20..000000000 --- a/policy/modules/services/mojomojo.if +++ /dev/null @@ -1,40 +0,0 @@ -## MojoMojo Wiki - -######################################## -## -## All of the rules required to administrate -## an mojomojo environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mojomojo_admin',` - gen_require(` - type httpd_mojomojo_script_t; - type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; - type httpd_mojomojo_rw_content_t; - type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; - ') - - allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_mojomojo_script_t) - - files_search_var_lib(httpd_mojomojo_script_t) - - apache_search_sys_content($1) - admin_pattern($1, httpd_mojomojo_script_exec_t) - admin_pattern($1, httpd_mojomojo_script_t) - admin_pattern($1, httpd_mojomojo_content_t) - admin_pattern($1, httpd_mojomojo_htaccess_t) - admin_pattern($1, httpd_mojomojo_rw_content_t) - admin_pattern($1, httpd_mojomojo_ra_content_t) -') diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te deleted file mode 100644 index 83f002c38..000000000 --- a/policy/modules/services/mojomojo.te +++ /dev/null @@ -1,36 +0,0 @@ -policy_module(mojomojo, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(mojomojo) - -######################################## -# -# mojomojo local policy -# - -allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; - -corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) -corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) -corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) -corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) - -files_search_var_lib(httpd_mojomojo_script_t) - -sysnet_dns_name_resolve(httpd_mojomojo_script_t) - -mta_send_mail(httpd_mojomojo_script_t) - -optional_policy(` - mysql_stream_connect(httpd_mojomojo_script_t) -') - -optional_policy(` - postgresql_stream_connect(httpd_mojomojo_script_t) -') diff --git a/policy/modules/services/monop.fc b/policy/modules/services/monop.fc deleted file mode 100644 index 9ee402847..000000000 --- a/policy/modules/services/monop.fc +++ /dev/null @@ -1,4 +0,0 @@ -/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0) - -/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0) -/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0) diff --git a/policy/modules/services/monop.if b/policy/modules/services/monop.if deleted file mode 100644 index 2611351ee..000000000 --- a/policy/modules/services/monop.if +++ /dev/null @@ -1 +0,0 @@ -## Monopoly daemon diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te deleted file mode 100644 index 6647a3560..000000000 --- a/policy/modules/services/monop.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(monop, 1.7.0) - -######################################## -# -# Declarations -# - -type monopd_t; -type monopd_exec_t; -init_daemon_domain(monopd_t, monopd_exec_t) - -type monopd_etc_t; -files_config_file(monopd_etc_t) - -type monopd_share_t; -files_type(monopd_share_t) - -type monopd_var_run_t; -files_pid_file(monopd_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit monopd_t self:capability sys_tty_config; -allow monopd_t self:process signal_perms; -allow monopd_t self:tcp_socket create_stream_socket_perms; -allow monopd_t self:udp_socket create_socket_perms; - -allow monopd_t monopd_etc_t:file read_file_perms; -files_search_etc(monopd_t) - -allow monopd_t monopd_share_t:dir list_dir_perms; -read_files_pattern(monopd_t, monopd_share_t, monopd_share_t) -read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t) - -manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t) -files_pid_filetrans(monopd_t, monopd_var_run_t, file) - -kernel_read_kernel_sysctls(monopd_t) -kernel_list_proc(monopd_t) -kernel_read_proc_symlinks(monopd_t) - -corenet_all_recvfrom_unlabeled(monopd_t) -corenet_all_recvfrom_netlabel(monopd_t) -corenet_tcp_sendrecv_generic_if(monopd_t) -corenet_udp_sendrecv_generic_if(monopd_t) -corenet_tcp_sendrecv_generic_node(monopd_t) -corenet_udp_sendrecv_generic_node(monopd_t) -corenet_tcp_sendrecv_all_ports(monopd_t) -corenet_udp_sendrecv_all_ports(monopd_t) -corenet_tcp_bind_generic_node(monopd_t) -corenet_tcp_bind_monopd_port(monopd_t) -corenet_sendrecv_monopd_server_packets(monopd_t) - -dev_read_sysfs(monopd_t) - -domain_use_interactive_fds(monopd_t) - -files_read_etc_files(monopd_t) - -fs_getattr_all_fs(monopd_t) -fs_search_auto_mountpoints(monopd_t) - -logging_send_syslog_msg(monopd_t) - -miscfiles_read_localization(monopd_t) - -sysnet_read_config(monopd_t) - -userdom_dontaudit_use_unpriv_user_fds(monopd_t) -userdom_dontaudit_search_user_home_dirs(monopd_t) - -optional_policy(` - nis_use_ypbind(monopd_t) -') - -optional_policy(` - seutil_sigchld_newrole(monopd_t) -') - -optional_policy(` - udev_read_db(monopd_t) -') diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc deleted file mode 100644 index ddc14d6bc..000000000 --- a/policy/modules/services/mpd.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) -/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) - -/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0) - -/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) -/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) -/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if deleted file mode 100644 index d72276ffc..000000000 --- a/policy/modules/services/mpd.if +++ /dev/null @@ -1,267 +0,0 @@ -## Music Player Daemon - -######################################## -## -## Execute a domain transition to run mpd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mpd_domtrans',` - gen_require(` - type mpd_t, mpd_exec_t; - ') - - domtrans_pattern($1, mpd_exec_t, mpd_t) -') - -######################################## -## -## Execute mpd server in the mpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mpd_initrc_domtrans',` - gen_require(` - type mpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, mpd_initrc_exec_t) -') - -####################################### -## -## Read mpd data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_read_data_files',` - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - read_files_pattern($1, mpd_data_t, mpd_data_t) -') - -###################################### -## -## Manage mpd data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_data_files',` - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - manage_files_pattern($1, mpd_data_t, mpd_data_t) -') - -####################################### -## -## Read mpd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_read_tmpfs_files',` - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -') - -################################### -## -## Manage mpd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_tmpfs_files',` - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) - manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -') - -######################################## -## -## Search mpd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_search_lib',` - gen_require(` - type mpd_var_lib_t; - ') - - allow $1 mpd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read mpd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_read_lib_files',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## mpd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_lib_files',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -####################################### -## -## Create an object in the root directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`mpd_var_lib_filetrans',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, mpd_var_lib_t, $2, $3) -') - -######################################## -## -## Manage mpd lib dirs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mpd_manage_lib_dirs',` - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an mpd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`mpd_admin',` - gen_require(` - type mpd_t, mpd_initrc_exec_t, mpd_etc_t; - type mpd_data_t, mpd_log_t, mpd_var_lib_t; - type mpd_tmpfs_t; - ') - - allow $1 mpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, mpd_t) - - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mpd_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, mpd_etc_t) - files_list_etc($1) - - files_list_var_lib($1) - admin_pattern($1, mpd_var_lib_t) - - admin_pattern($1, mpd_data_t) - - admin_pattern($1, mpd_log_t) - - fs_list_tmpfs($1) - admin_pattern($1, mpd_tmpfs_t) -') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te deleted file mode 100644 index 7f688728e..000000000 --- a/policy/modules/services/mpd.te +++ /dev/null @@ -1,126 +0,0 @@ -policy_module(mpd, 1.0.0) - -######################################## -# -# Declarations -# - -type mpd_t; -type mpd_exec_t; -init_daemon_domain(mpd_t, mpd_exec_t) - -# type for music content -type mpd_data_t; -files_type(mpd_data_t) - -type mpd_etc_t; -files_config_file(mpd_etc_t) - -type mpd_initrc_exec_t; -init_script_file(mpd_initrc_exec_t) - -type mpd_log_t; -logging_log_file(mpd_log_t) - -type mpd_tmp_t; -files_tmp_file(mpd_tmp_t) - -type mpd_tmpfs_t; -files_tmpfs_file(mpd_tmpfs_t) - -type mpd_var_lib_t; -files_type(mpd_var_lib_t) - -######################################## -# -# mpd local policy -# - -# dac_override bug in mpd relating to mpd.log file -allow mpd_t self:capability { dac_override kill setgid setuid }; -allow mpd_t self:process { getsched setsched setrlimit signal signull }; -allow mpd_t self:fifo_file rw_fifo_file_perms; -allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow mpd_t self:tcp_socket create_stream_socket_perms; -allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) -manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) -manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) - -read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) - -manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file }) - -manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) -manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) -fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file ) - -manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) -files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file }) - -# needed by pulseaudio -kernel_getattr_proc(mpd_t) -kernel_read_system_state(mpd_t) -kernel_read_kernel_sysctls(mpd_t) - -corecmd_exec_bin(mpd_t) - -corenet_all_recvfrom_unlabeled(mpd_t) -corenet_all_recvfrom_netlabel(mpd_t) -corenet_tcp_sendrecv_generic_if(mpd_t) -corenet_tcp_sendrecv_generic_node(mpd_t) -corenet_tcp_bind_mpd_port(mpd_t) -corenet_tcp_bind_soundd_port(mpd_t) -corenet_tcp_connect_http_port(mpd_t) -corenet_tcp_connect_http_cache_port(mpd_t) -corenet_tcp_connect_pulseaudio_port(mpd_t) -corenet_tcp_connect_soundd_port(mpd_t) -corenet_sendrecv_http_client_packets(mpd_t) -corenet_sendrecv_http_cache_client_packets(mpd_t) -corenet_sendrecv_pulseaudio_client_packets(mpd_t) -corenet_sendrecv_soundd_client_packets(mpd_t) - -dev_read_sound(mpd_t) -dev_write_sound(mpd_t) -dev_read_sysfs(mpd_t) - -files_read_usr_files(mpd_t) - -fs_getattr_tmpfs(mpd_t) -fs_list_inotifyfs(mpd_t) -fs_rw_anon_inodefs_files(mpd_t) - -auth_use_nsswitch(mpd_t) - -logging_send_syslog_msg(mpd_t) - -miscfiles_read_localization(mpd_t) - -optional_policy(` - alsa_read_rw_config(mpd_t) -') - -optional_policy(` - consolekit_dbus_chat(mpd_t) -') - -optional_policy(` - dbus_system_bus_client(mpd_t) -') - -optional_policy(` - pulseaudio_exec(mpd_t) - pulseaudio_stream_connect(mpd_t) - pulseaudio_signull(mpd_t) -') - -optional_policy(` - udev_read_db(mpd_t) -') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc deleted file mode 100644 index 256166a9e..000000000 --- a/policy/modules/services/mta.fc +++ /dev/null @@ -1,30 +0,0 @@ -HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) - -/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) -/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -ifdef(`distro_redhat',` -/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) -') - -/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - -/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if deleted file mode 100644 index 343cee395..000000000 --- a/policy/modules/services/mta.if +++ /dev/null @@ -1,901 +0,0 @@ -## Policy common to all email tranfer agents. - -######################################## -## -## MTA stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_stub',` - gen_require(` - type sendmail_exec_t; - ') -') - -####################################### -## -## Basic mail transfer agent domain template. -## -## -##

-## This template creates a derived domain which is -## a email transfer agent, which sends mail on -## behalf of the user. -##

-##

-## This is the basic types and rules, common -## to the system agent and user agents. -##

-## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`mta_base_mail_template',` - - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - - ############################## - # - # $1_mail_t declarations - # - - type $1_mail_t, user_mail_domain; - application_domain($1_mail_t, sendmail_exec_t) - - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - - ############################## - # - # $1_mail_t local policy - # - - allow $1_mail_t self:capability { setuid setgid chown }; - allow $1_mail_t self:process { signal_perms setrlimit }; - allow $1_mail_t self:tcp_socket create_socket_perms; - - # re-exec itself - can_exec($1_mail_t, sendmail_exec_t) - allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; - - kernel_read_system_state($1_mail_t) - kernel_read_kernel_sysctls($1_mail_t) - - corenet_all_recvfrom_unlabeled($1_mail_t) - corenet_all_recvfrom_netlabel($1_mail_t) - corenet_tcp_sendrecv_generic_if($1_mail_t) - corenet_tcp_sendrecv_generic_node($1_mail_t) - corenet_tcp_sendrecv_all_ports($1_mail_t) - corenet_tcp_connect_all_ports($1_mail_t) - corenet_tcp_connect_smtp_port($1_mail_t) - corenet_sendrecv_smtp_client_packets($1_mail_t) - - corecmd_exec_bin($1_mail_t) - - files_read_etc_files($1_mail_t) - files_search_spool($1_mail_t) - # It wants to check for nscd - files_dontaudit_search_pids($1_mail_t) - - auth_use_nsswitch($1_mail_t) - - init_dontaudit_rw_utmp($1_mail_t) - - logging_send_syslog_msg($1_mail_t) - - miscfiles_read_localization($1_mail_t) - - optional_policy(` - exim_read_log($1_mail_t) - exim_append_log($1_mail_t) - exim_manage_spool_files($1_mail_t) - ') - - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) - ') - - optional_policy(` - procmail_exec($1_mail_t) - ') - - optional_policy(` - qmail_domtrans_inject($1_mail_t) - ') - - optional_policy(` - gen_require(` - type etc_mail_t, mail_spool_t, mqueue_spool_t; - ') - - manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - - allow $1_mail_t etc_mail_t:dir search_dir_perms; - - # Write to /var/spool/mail and /var/spool/mqueue. - manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) - manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) - - # Check available space. - fs_getattr_xattr_fs($1_mail_t) - - files_read_etc_runtime_files($1_mail_t) - - # Write to /var/log/sendmail.st - sendmail_manage_log($1_mail_t) - sendmail_create_log($1_mail_t) - ') - - optional_policy(` - uucp_manage_spool($1_mail_t) - ') -') - -######################################## -## -## Role access for mta -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`mta_role',` - gen_require(` - attribute mta_user_agent; - type user_mail_t, sendmail_exec_t; - ') - - role $1 types { user_mail_t mta_user_agent }; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file { getattr read }; - - allow mta_user_agent $2:fd use; - allow mta_user_agent $2:process sigchld; - allow mta_user_agent $2:fifo_file { read write }; -') - -######################################## -## -## Make the specified domain usable for a mail server. -## -## -## -## Type to be used as a mail server domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`mta_mailserver',` - gen_require(` - attribute mailserver_domain; - ') - - init_daemon_domain($1, $2) - typeattribute $1 mailserver_domain; -') - -######################################## -## -## Make the specified type a MTA executable file. -## -## -## -## Type to be used as a mail client. -## -## -# -interface(`mta_agent_executable',` - gen_require(` - attribute mta_exec_type; - ') - - typeattribute $1 mta_exec_type; - - application_executable_file($1) -') - -######################################## -## -## Make the specified type by a system MTA. -## -## -## -## Type to be used as a mail client. -## -## -# -interface(`mta_system_content',` - gen_require(` - attribute mailcontent_type; - ') - - typeattribute $1 mailcontent_type; -') - -######################################## -## -## Modified mailserver interface for -## sendmail daemon use. -## -## -##

-## A modified MTA mail server interface for -## the sendmail program. It's design does -## not fit well with policy, and using the -## regular interface causes a type_transition -## conflict if direct running of init scripts -## is enabled. -##

-##

-## This interface should most likely only be used -## by the sendmail policy. -##

-## -## -## -## The type to be used for the mail server. -## -## -# -interface(`mta_sendmail_mailserver',` - gen_require(` - attribute mailserver_domain; - type sendmail_exec_t; - ') - - init_system_domain($1, sendmail_exec_t) - typeattribute $1 mailserver_domain; -') - -####################################### -## -## Make a type a mailserver type used -## for sending mail. -## -## -## -## Mail server domain type used for sending mail. -## -## -# -interface(`mta_mailserver_sender',` - gen_require(` - attribute mailserver_sender; - ') - - typeattribute $1 mailserver_sender; -') - -####################################### -## -## Make a type a mailserver type used -## for delivering mail to local users. -## -## -## -## Mail server domain type used for delivering mail. -## -## -# -interface(`mta_mailserver_delivery',` - gen_require(` - attribute mailserver_delivery; - type mail_spool_t; - ') - - typeattribute $1 mailserver_delivery; -') - -####################################### -## -## Make a type a mailserver type used -## for sending mail on behalf of local -## users to the local mail spool. -## -## -## -## Mail server domain type used for sending local mail. -## -## -# -interface(`mta_mailserver_user_agent',` - gen_require(` - attribute mta_user_agent; - ') - - typeattribute $1 mta_user_agent; - - optional_policy(` - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets($1) - apache_dontaudit_rw_sys_script_stream_sockets($1) - ') -') - -######################################## -## -## Send mail from the system. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mta_send_mail',` - gen_require(` - attribute mta_user_agent; - type system_mail_t; - attribute mta_exec_type; - ') - - allow $1 mta_exec_type:lnk_file read_lnk_file_perms; - corecmd_read_bin_symlinks($1) - domtrans_pattern($1, mta_exec_type, system_mail_t) - - allow mta_user_agent $1:fd use; - allow mta_user_agent $1:process sigchld; - allow mta_user_agent $1:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Execute send mail in a specified domain. -## -## -##

-## Execute send mail in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# -interface(`mta_sendmail_domtrans',` - gen_require(` - type sendmail_exec_t; - ') - - files_search_usr($1) - corecmd_read_bin_symlinks($1) - domain_auto_trans($1, sendmail_exec_t, $2) -') - -######################################## -## -## Send system mail client a signal -## -## -## -## Domain allowed access. -## -## -# -# -interface(`mta_signal_system_mail',` - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process signal; -') - -######################################## -## -## Execute sendmail in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_sendmail_exec',` - gen_require(` - type sendmail_exec_t; - ') - - can_exec($1, sendmail_exec_t) -') - -######################################## -## -## Read mail server configuration. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mta_read_config',` - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - allow $1 etc_mail_t:dir list_dir_perms; - read_files_pattern($1, etc_mail_t, etc_mail_t) - read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) -') - -######################################## -## -## write mail server configuration. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mta_write_config',` - gen_require(` - type etc_mail_t; - ') - - write_files_pattern($1, etc_mail_t, etc_mail_t) -') - -######################################## -## -## Read mail address aliases. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_read_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; -') - -######################################## -## -## Create, read, write, and delete mail address aliases. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_manage_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - manage_files_pattern($1, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) -') - -######################################## -## -## Type transition files created in /etc -## to the mail address aliases type. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_etc_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_etc_filetrans($1, etc_aliases_t, file) -') - -######################################## -## -## Read and write mail aliases. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mta_rw_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file { rw_file_perms setattr }; -') - -####################################### -## -## Do not audit attempts to read and write TCP -## sockets of mail delivery domains. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_rw_delivery_tcp_sockets',` - gen_require(` - attribute mailserver_delivery; - ') - - dontaudit $1 mailserver_delivery:tcp_socket { read write }; -') - -####################################### -## -## Connect to all mail servers over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_tcp_connect_all_mailservers',` - refpolicywarn(`$0($*) has been deprecated.') -') - -####################################### -## -## Do not audit attempts to read a symlink -## in the mail spool. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_read_spool_symlinks',` - gen_require(` - type mail_spool_t; - ') - - dontaudit $1 mail_spool_t:lnk_file read; -') - -######################################## -## -## Get the attributes of mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_getattr_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - getattr_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## -## Do not audit attempts to get the attributes -## of mail spool files. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_getattr_spool_files',` - gen_require(` - type mail_spool_t; - ') - - files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read; - dontaudit $1 mail_spool_t:file getattr; -') - -####################################### -## -## Create private objects in the -## mail spool directory. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`mta_spool_filetrans',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mail_spool_t, $2, $3) -') - -######################################## -## -## Read and write the mail spool. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_rw_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file setattr; - rw_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -####################################### -## -## Create, read, and write the mail spool. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_append_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1, mail_spool_t, mail_spool_t) - write_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -####################################### -## -## Delete from the mail spool. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_delete_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - delete_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## -## Create, read, write, and delete mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_manage_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mail_spool_t, mail_spool_t) - manage_files_pattern($1, mail_spool_t, mail_spool_t) - manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## -## Search mail queue dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_search_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir search_dir_perms; -') - -####################################### -## -## List the mail queue. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_list_queue',` - gen_require(` - type mqueue_spool_t; - ') - - allow $1 mqueue_spool_t:dir list_dir_perms; - files_search_spool($1) -') - -####################################### -## -## Read the mail queue. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_read_queue',` - gen_require(` - type mqueue_spool_t; - ') - - read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) - files_search_spool($1) -') - -####################################### -## -## Do not audit attempts to read and -## write the mail queue. -## -## -## -## Domain to not audit. -## -## -# -interface(`mta_dontaudit_rw_queue',` - gen_require(` - type mqueue_spool_t; - ') - - dontaudit $1 mqueue_spool_t:dir search_dir_perms; - dontaudit $1 mqueue_spool_t:file { getattr read write }; -') - -######################################## -## -## Create, read, write, and delete -## mail queue files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_manage_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) - manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -') - -####################################### -## -## Read sendmail binary. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for postfix -interface(`mta_read_sendmail_bin',` - gen_require(` - type sendmail_exec_t; - ') - - allow $1 sendmail_exec_t:file read_file_perms; -') - -####################################### -## -## Read and write unix domain stream sockets -## of user mail domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`mta_rw_user_mail_stream_sockets',` - gen_require(` - attribute user_mail_domain; - ') - - allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; -') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te deleted file mode 100644 index 64268e4f8..000000000 --- a/policy/modules/services/mta.te +++ /dev/null @@ -1,294 +0,0 @@ -policy_module(mta, 2.3.0) - -######################################## -# -# Declarations -# - -attribute mailcontent_type; -attribute mta_exec_type; -attribute mta_user_agent; -attribute mailserver_delivery; -attribute mailserver_domain; -attribute mailserver_sender; - -attribute user_mail_domain; - -type etc_aliases_t; -files_type(etc_aliases_t) - -type etc_mail_t; -files_config_file(etc_mail_t) - -type mail_forward_t; -files_type(mail_forward_t) - -type mqueue_spool_t; -files_mountpoint(mqueue_spool_t) - -type mail_spool_t; -files_mountpoint(mail_spool_t) - -type sendmail_exec_t; -mta_agent_executable(sendmail_exec_t) - -mta_base_mail_template(system) -role system_r types system_mail_t; - -mta_base_mail_template(user) -typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; -typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; -typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; -typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; -ubac_constrained(user_mail_t) -ubac_constrained(user_mail_tmp_t) - -######################################## -# -# System mail local policy -# - -# newalias required this, not sure if it is needed in 'if' file -allow system_mail_t self:capability { dac_override fowner }; -allow system_mail_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) - -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - -allow system_mail_t mail_forward_t:file read_file_perms; - -allow system_mail_t mta_exec_type:file entrypoint; - -can_exec(system_mail_t, mta_exec_type) - -kernel_read_system_state(system_mail_t) -kernel_read_network_state(system_mail_t) -kernel_request_load_module(system_mail_t) - -dev_read_sysfs(system_mail_t) -dev_read_rand(system_mail_t) -dev_read_urand(system_mail_t) - -files_read_usr_files(system_mail_t) - -fs_rw_anon_inodefs_files(system_mail_t) - -selinux_getattr_fs(system_mail_t) - -term_dontaudit_use_unallocated_ttys(system_mail_t) - -init_use_script_ptys(system_mail_t) - -userdom_use_user_terminals(system_mail_t) -userdom_dontaudit_search_user_home_dirs(system_mail_t) - -optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) - - # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -') - -optional_policy(` - arpwatch_manage_tmp_files(system_mail_t) - - ifdef(`hide_broken_symptoms', ` - arpwatch_dontaudit_rw_packet_sockets(system_mail_t) - ') -') - -optional_policy(` - clamav_stream_connect(system_mail_t) - clamav_append_log(system_mail_t) -') - -optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) - cron_rw_system_job_stream_sockets(system_mail_t) -') - -optional_policy(` - courier_manage_spool_dirs(system_mail_t) - courier_manage_spool_files(system_mail_t) - courier_rw_spool_pipes(system_mail_t) -') - -optional_policy(` - cvs_read_data(system_mail_t) -') - -optional_policy(` - exim_domtrans(system_mail_t) - exim_manage_log(system_mail_t) -') - -optional_policy(` - fail2ban_append_log(system_mail_t) -') - -optional_policy(` - logrotate_read_tmp_files(system_mail_t) -') - -optional_policy(` - logwatch_read_tmp_files(system_mail_t) -') - -optional_policy(` - # newaliases runs as system_mail_t when the sendmail initscript does a restart - milter_getattr_all_sockets(system_mail_t) -') - -optional_policy(` - nagios_read_tmp_files(system_mail_t) -') - -optional_policy(` - manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) - - domain_use_interactive_fds(system_mail_t) - - # postfix needs this for newaliases - files_getattr_tmp_dirs(system_mail_t) - - postfix_exec_master(system_mail_t) - postfix_read_config(system_mail_t) - postfix_search_spool(system_mail_t) - - ifdef(`distro_redhat',` - # compatability for old default main.cf - postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') -') - -optional_policy(` - qmail_domtrans_inject(system_mail_t) -') - -optional_policy(` - sxid_read_log(system_mail_t) -') - -optional_policy(` - userdom_dontaudit_use_user_ptys(system_mail_t) - - optional_policy(` - cron_dontaudit_append_system_job_tmp_files(system_mail_t) - ') -') - -optional_policy(` - smartmon_read_tmp_files(system_mail_t) -') - -# should break this up among sections: - -optional_policy(` - # why is mail delivered to a directory of type arpwatch_data_t? - arpwatch_search_data(mailserver_delivery) - arpwatch_manage_tmp_files(mta_user_agent) - - ifdef(`hide_broken_symptoms', ` - arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) - ') - - optional_policy(` - cron_read_system_job_tmp_files(mta_user_agent) - ') -') - -######################################## -# -# Mailserver delivery local policy -# - -allow mailserver_delivery mail_spool_t:dir list_dir_perms; -create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - -read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) - -read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mailserver_delivery) - fs_manage_cifs_files(mailserver_delivery) - fs_manage_cifs_symlinks(mailserver_delivery) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mailserver_delivery) - fs_manage_nfs_files(mailserver_delivery) - fs_manage_nfs_symlinks(mailserver_delivery) -') - -optional_policy(` - dovecot_manage_spool(mailserver_delivery) - dovecot_domtrans_deliver(mailserver_delivery) -') - -optional_policy(` - # so MTA can access /var/lib/mailman/mail/wrapper - files_search_var_lib(mailserver_delivery) - - mailman_domtrans(mailserver_delivery) - mailman_read_data_symlinks(mailserver_delivery) -') - -######################################## -# -# User send mail local policy -# - -domain_use_interactive_fds(user_mail_t) - -userdom_use_user_terminals(user_mail_t) -# Write to the user domain tty. cjp: why? -userdom_use_user_terminals(mta_user_agent) -# Create dead.letter in user home directories. -userdom_manage_user_home_content_files(user_mail_t) -userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -userdom_manage_user_home_content_dirs(mailserver_delivery) -userdom_manage_user_home_content_files(mailserver_delivery) -userdom_manage_user_home_content_symlinks(mailserver_delivery) -userdom_manage_user_home_content_pipes(mailserver_delivery) -userdom_manage_user_home_content_sockets(mailserver_delivery) -userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) -# Read user temporary files. -userdom_read_user_tmp_files(user_mail_t) -userdom_dontaudit_append_user_tmp_files(user_mail_t) -# cjp: this should probably be read all user tmp -# files in an appropriate place for mta_user_agent -userdom_read_user_tmp_files(mta_user_agent) - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(user_mail_t) - fs_manage_cifs_symlinks(user_mail_t) -') - -optional_policy(` - allow user_mail_t self:capability dac_override; - - # Read user temporary files. - # postfix seems to need write access if the file handle is opened read/write - userdom_rw_user_tmp_files(user_mail_t) - - postfix_read_config(user_mail_t) - postfix_list_spool(user_mail_t) -') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc deleted file mode 100644 index fd71d69fa..000000000 --- a/policy/modules/services/munin.fc +++ /dev/null @@ -1,69 +0,0 @@ -/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) -/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - -/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - -# disk plugins -/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) - -# mail plugins -/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) - -# services plugins -/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - -# system plugins -/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - -/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) -/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if deleted file mode 100644 index c358d8fb4..000000000 --- a/policy/modules/services/munin.if +++ /dev/null @@ -1,203 +0,0 @@ -## Munin network-wide load graphing (formerly LRRD) - -######################################## -## -## Create a set of derived types for various -## munin plugins, -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`munin_plugin_template',` - gen_require(` - type munin_t, munin_exec_t, munin_etc_t; - ') - - type $1_munin_plugin_t; - type $1_munin_plugin_exec_t; - typealias $1_munin_plugin_t alias munin_$1_plugin_t; - typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; - application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) - role system_r types $1_munin_plugin_t; - - type $1_munin_plugin_tmp_t; - typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t; - files_tmp_file($1_munin_plugin_tmp_t) - - allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms; - - manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) - - # automatic transition rules from munin domain - # to specific munin plugin domain - domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) - - allow $1_munin_plugin_t munin_exec_t:file read_file_perms; - allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms; - - read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t) - - kernel_read_system_state($1_munin_plugin_t) - - corecmd_exec_bin($1_munin_plugin_t) - - miscfiles_read_localization($1_munin_plugin_t) -') - -######################################## -## -## Connect to munin over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`munin_stream_connect',` - gen_require(` - type munin_var_run_t, munin_t; - ') - - allow $1 munin_t:unix_stream_socket connectto; - allow $1 munin_var_run_t:sock_file { getattr write }; - files_search_pids($1) -') - -####################################### -## -## Read munin configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`munin_read_config',` - gen_require(` - type munin_etc_t; - ') - - allow $1 munin_etc_t:dir list_dir_perms; - allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file { getattr read }; - files_search_etc($1) -') - -####################################### -## -## Append to the munin log. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`munin_append_log',` - gen_require(` - type munin_log_t; - ') - - logging_search_logs($1) - allow $1 munin_log_t:dir list_dir_perms; - append_files_pattern($1, munin_log_t, munin_log_t) -') - -####################################### -## -## Search munin library directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`munin_search_lib',` - gen_require(` - type munin_var_lib_t; - ') - - allow $1 munin_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -####################################### -## -## Do not audit attempts to search -## munin library directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`munin_dontaudit_search_lib',` - gen_require(` - type munin_var_lib_t; - ') - - dontaudit $1 munin_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## All of the rules required to administrate -## an munin environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the munin domain. -## -## -## -# -interface(`munin_admin',` - gen_require(` - type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_var_run_t; - type httpd_munin_content_t; - type munin_initrc_exec_t; - ') - - allow $1 munin_t:process { ptrace signal_perms }; - ps_process_pattern($1, munin_t) - - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 munin_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, munin_tmp_t) - - logging_list_logs($1) - admin_pattern($1, munin_log_t) - - files_list_etc($1) - admin_pattern($1, munin_etc_t) - - files_list_var_lib($1) - admin_pattern($1, munin_var_lib_t) - - files_list_pids($1) - admin_pattern($1, munin_var_run_t) - - admin_pattern($1, httpd_munin_content_t) -') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te deleted file mode 100644 index f17583b6f..000000000 --- a/policy/modules/services/munin.te +++ /dev/null @@ -1,315 +0,0 @@ -policy_module(munin, 1.8.0) - -######################################## -# -# Declarations -# - -type munin_t alias lrrd_t; -type munin_exec_t alias lrrd_exec_t; -init_daemon_domain(munin_t, munin_exec_t) - -type munin_etc_t alias lrrd_etc_t; -files_config_file(munin_etc_t) - -type munin_initrc_exec_t; -init_script_file(munin_initrc_exec_t) - -type munin_log_t alias lrrd_log_t; -logging_log_file(munin_log_t) - -type munin_tmp_t alias lrrd_tmp_t; -files_tmp_file(munin_tmp_t) - -type munin_var_lib_t alias lrrd_var_lib_t; -files_type(munin_var_lib_t) - -type munin_var_run_t alias lrrd_var_run_t; -files_pid_file(munin_var_run_t) - -munin_plugin_template(disk) - -munin_plugin_template(mail) - -munin_plugin_template(services) - -munin_plugin_template(system) - -######################################## -# -# Local policy -# - -allow munin_t self:capability { chown dac_override setgid setuid }; -dontaudit munin_t self:capability sys_tty_config; -allow munin_t self:process { getsched setsched signal_perms }; -allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; -allow munin_t self:tcp_socket create_stream_socket_perms; -allow munin_t self:udp_socket create_socket_perms; -allow munin_t self:fifo_file manage_fifo_file_perms; - -allow munin_t munin_etc_t:dir list_dir_perms; -read_files_pattern(munin_t, munin_etc_t, munin_etc_t) -read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) -files_search_etc(munin_t) - -can_exec(munin_t, munin_exec_t) - -manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -manage_files_pattern(munin_t, munin_log_t, munin_log_t) -logging_log_filetrans(munin_t, munin_log_t, { file dir }) - -manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) -manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) - -# Allow access to the munin databases -manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -files_search_var_lib(munin_t) - -manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -files_pid_filetrans(munin_t, munin_var_run_t, file) - -kernel_read_system_state(munin_t) -kernel_read_network_state(munin_t) -kernel_read_all_sysctls(munin_t) - -corecmd_exec_bin(munin_t) -corecmd_exec_shell(munin_t) - -corenet_all_recvfrom_unlabeled(munin_t) -corenet_all_recvfrom_netlabel(munin_t) -corenet_tcp_sendrecv_generic_if(munin_t) -corenet_udp_sendrecv_generic_if(munin_t) -corenet_tcp_sendrecv_generic_node(munin_t) -corenet_udp_sendrecv_generic_node(munin_t) -corenet_tcp_sendrecv_all_ports(munin_t) -corenet_udp_sendrecv_all_ports(munin_t) -corenet_tcp_bind_generic_node(munin_t) -corenet_tcp_bind_munin_port(munin_t) -corenet_tcp_connect_munin_port(munin_t) -corenet_tcp_connect_http_port(munin_t) - -dev_read_sysfs(munin_t) -dev_read_urand(munin_t) - -domain_use_interactive_fds(munin_t) -domain_read_all_domains_state(munin_t) - -files_read_etc_files(munin_t) -files_read_etc_runtime_files(munin_t) -files_read_usr_files(munin_t) -files_list_spool(munin_t) - -fs_getattr_all_fs(munin_t) -fs_search_auto_mountpoints(munin_t) - -auth_use_nsswitch(munin_t) - -logging_send_syslog_msg(munin_t) -logging_read_all_logs(munin_t) - -miscfiles_read_fonts(munin_t) -miscfiles_read_localization(munin_t) - -sysnet_exec_ifconfig(munin_t) - -userdom_dontaudit_use_unpriv_user_fds(munin_t) -userdom_dontaudit_search_user_home_dirs(munin_t) - -optional_policy(` - apache_content_template(munin) - - manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - apache_search_sys_content(munin_t) -') - -optional_policy(` - cron_system_entry(munin_t, munin_exec_t) -') - -optional_policy(` - fstools_domtrans(munin_t) -') - -optional_policy(` - lpd_domtrans_lpr(munin_t) -') - -optional_policy(` - mta_read_config(munin_t) - mta_send_mail(munin_t) - mta_read_queue(munin_t) -') - -optional_policy(` - mysql_read_config(munin_t) - mysql_stream_connect(munin_t) -') - -optional_policy(` - netutils_domtrans_ping(munin_t) -') - -optional_policy(` - postfix_list_spool(munin_t) -') - -optional_policy(` - rpc_search_nfs_state_data(munin_t) -') - -optional_policy(` - sendmail_read_log(munin_t) -') - -optional_policy(` - seutil_sigchld_newrole(munin_t) -') - -optional_policy(` - udev_read_db(munin_t) -') - -################################### -# -# local policy for disk plugins -# - -allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; - -rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -corecmd_exec_shell(disk_munin_plugin_t) - -corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) - -files_read_etc_files(disk_munin_plugin_t) -files_read_etc_runtime_files(disk_munin_plugin_t) - -fs_getattr_all_fs(disk_munin_plugin_t) - -dev_read_sysfs(disk_munin_plugin_t) -dev_read_urand(disk_munin_plugin_t) - -storage_getattr_fixed_disk_dev(disk_munin_plugin_t) - -sysnet_read_config(disk_munin_plugin_t) - -optional_policy(` - hddtemp_exec(disk_munin_plugin_t) -') - -optional_policy(` - fstools_exec(disk_munin_plugin_t) -') - -#################################### -# -# local policy for mail plugins -# - -allow mail_munin_plugin_t self:capability dac_override; - -rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -dev_read_urand(mail_munin_plugin_t) - -files_read_etc_files(mail_munin_plugin_t) - -fs_getattr_all_fs(mail_munin_plugin_t) - -logging_read_generic_logs(mail_munin_plugin_t) - -mta_read_config(mail_munin_plugin_t) -mta_send_mail(mail_munin_plugin_t) -mta_read_queue(mail_munin_plugin_t) - -optional_policy(` - postfix_read_config(mail_munin_plugin_t) - postfix_list_spool(mail_munin_plugin_t) -') - -optional_policy(` - sendmail_read_log(mail_munin_plugin_t) -') - -################################### -# -# local policy for service plugins -# - -allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; -allow services_munin_plugin_t self:udp_socket create_socket_perms; -allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; - -corenet_tcp_connect_all_ports(services_munin_plugin_t) -corenet_tcp_connect_http_port(services_munin_plugin_t) - -dev_read_urand(services_munin_plugin_t) -dev_read_rand(services_munin_plugin_t) - -fs_getattr_all_fs(services_munin_plugin_t) - -files_read_etc_files(services_munin_plugin_t) - -sysnet_read_config(services_munin_plugin_t) - -optional_policy(` - cups_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - lpd_exec_lpr(services_munin_plugin_t) -') - -optional_policy(` - mysql_read_config(services_munin_plugin_t) - mysql_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - netutils_domtrans_ping(services_munin_plugin_t) -') - -optional_policy(` - postgresql_stream_connect(services_munin_plugin_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(services_munin_plugin_t) -') - -################################## -# -# local policy for system plugins -# - -allow system_munin_plugin_t self:udp_socket create_socket_perms; - -rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -kernel_read_network_state(system_munin_plugin_t) -kernel_read_all_sysctls(system_munin_plugin_t) - -corecmd_exec_shell(system_munin_plugin_t) - -fs_getattr_all_fs(system_munin_plugin_t) - -dev_read_sysfs(system_munin_plugin_t) -dev_read_urand(system_munin_plugin_t) - -domain_read_all_domains_state(system_munin_plugin_t) - -# needed by users plugin -init_read_utmp(system_munin_plugin_t) - -sysnet_exec_ifconfig(system_munin_plugin_t) - -term_getattr_unallocated_ttys(system_munin_plugin_t) diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc deleted file mode 100644 index cc7192c2c..000000000 --- a/policy/modules/services/mysql.fc +++ /dev/null @@ -1,30 +0,0 @@ -# mysql database server - -# -# /etc -# -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) - -/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) - -/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) -/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) - -# -# /var -# -/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) - -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) - -/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if deleted file mode 100644 index e9c09824f..000000000 --- a/policy/modules/services/mysql.if +++ /dev/null @@ -1,355 +0,0 @@ -## Policy for MySQL - -###################################### -## -## Execute MySQL in the mysql domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mysql_domtrans',` - gen_require(` - type mysqld_t, mysqld_exec_t; - ') - - domtrans_pattern($1, mysqld_exec_t, mysqld_t) -') - -######################################## -## -## Send a generic signal to MySQL. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_signal',` - gen_require(` - type mysqld_t; - ') - - allow $1 mysqld_t:process signal; -') - -######################################## -## -## Allow the specified domain to connect to postgresql with a tcp socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_tcp_connect',` - gen_require(` - type mysqld_t; - ') - - corenet_tcp_recvfrom_labeled($1, mysqld_t) - corenet_tcp_sendrecv_mysqld_port($1) - corenet_tcp_connect_mysqld_port($1) - corenet_sendrecv_mysqld_client_packets($1) -') - -######################################## -## -## Connect to MySQL using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mysql_stream_connect',` - gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_db_t; - ') - - stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) - stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) -') - -######################################## -## -## Read MySQL configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mysql_read_config',` - gen_require(` - type mysqld_etc_t; - ') - - allow $1 mysqld_etc_t:dir list_dir_perms; - allow $1 mysqld_etc_t:file read_file_perms; - allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Search the directories that contain MySQL -## database storage. -## -## -## -## Domain allowed access. -## -## -# -# cjp: "_dir" in the name is added to clarify that this -# is not searching the database itself. -interface(`mysql_search_db',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search_dir_perms; -') - -######################################## -## -## Read and write to the MySQL database directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_rw_db_dirs',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir rw_dir_perms; -') - -######################################## -## -## Create, read, write, and delete MySQL database directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_manage_db_dirs',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir manage_dir_perms; -') - -####################################### -## -## Append to the MySQL database directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_append_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - append_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -####################################### -## -## Read and write to the MySQL database directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_rw_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -####################################### -## -## Create, read, write, and delete MySQL database files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_manage_db_files',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mysqld_db_t, mysqld_db_t) -') - -######################################## -## -## Read and write to the MySQL database -## named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_rw_db_sockets',` - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search_dir_perms; - allow $1 mysqld_db_t:sock_file rw_sock_file_perms; -') - -######################################## -## -## Write to the MySQL log. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_write_log',` - gen_require(` - type mysqld_log_t; - ') - - logging_search_logs($1) - allow $1 mysqld_log_t:file { write_file_perms setattr }; -') - -###################################### -## -## Execute MySQL server in the mysql domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`mysql_domtrans_mysql_safe',` - gen_require(` - type mysqld_safe_t, mysqld_safe_exec_t; - ') - - domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) -') - -##################################### -## -## Read MySQL PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`mysql_read_pid_files',` - gen_require(` - type mysqld_var_run_t; - ') - - mysql_search_pid_files($1) - read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -##################################### -## -## Search MySQL PID files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mysql_search_pid_files',` - gen_require(` - type mysqld_var_run_t; - ') - - search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -') - -######################################## -## -## All of the rules required to administrate an mysql environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the mysql domain. -## -## -## -# -interface(`mysql_admin',` - gen_require(` - type mysqld_t, mysqld_var_run_t; - type mysqld_tmp_t, mysqld_db_t; - type mysqld_etc_t, mysqld_log_t; - type mysqld_initrc_exec_t; - ') - - allow $1 mysqld_t:process { ptrace signal_perms }; - ps_process_pattern($1, mysqld_t) - - init_labeled_script_domtrans($1, mysqld_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mysqld_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, mysqld_var_run_t) - - admin_pattern($1, mysqld_db_t) - - admin_pattern($1, mysqld_etc_t) - - admin_pattern($1, mysqld_log_t) - - admin_pattern($1, mysqld_tmp_t) -') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te deleted file mode 100644 index 0a0d63ca9..000000000 --- a/policy/modules/services/mysql.te +++ /dev/null @@ -1,239 +0,0 @@ -policy_module(mysql, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow mysqld to connect to all ports -##

-## -gen_tunable(mysql_connect_any, false) - -type mysqld_t; -type mysqld_exec_t; -init_daemon_domain(mysqld_t, mysqld_exec_t) - -type mysqld_safe_t; -type mysqld_safe_exec_t; -init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) - -type mysqld_var_run_t; -files_pid_file(mysqld_var_run_t) - -type mysqld_db_t; -files_type(mysqld_db_t) - -type mysqld_etc_t alias etc_mysqld_t; -files_config_file(mysqld_etc_t) - -type mysqld_initrc_exec_t; -init_script_file(mysqld_initrc_exec_t) - -type mysqld_log_t; -logging_log_file(mysqld_log_t) - -type mysqld_tmp_t; -files_tmp_file(mysqld_tmp_t) - -type mysqlmanagerd_t; -type mysqlmanagerd_exec_t; -init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) - -type mysqlmanagerd_initrc_exec_t; -init_script_file(mysqlmanagerd_initrc_exec_t) - -type mysqlmanagerd_var_run_t; -files_pid_file(mysqlmanagerd_var_run_t) - -######################################## -# -# Local policy -# - -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; -dontaudit mysqld_t self:capability sys_tty_config; -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; -allow mysqld_t self:fifo_file rw_fifo_file_perms; -allow mysqld_t self:shm create_shm_perms; -allow mysqld_t self:unix_stream_socket create_stream_socket_perms; -allow mysqld_t self:tcp_socket create_stream_socket_perms; -allow mysqld_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) - -allow mysqld_t mysqld_etc_t:file read_file_perms; -allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; -allow mysqld_t mysqld_etc_t:dir list_dir_perms; - -allow mysqld_t mysqld_log_t:file manage_file_perms; -logging_log_filetrans(mysqld_t, mysqld_log_t, file) - -manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) - -manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) - -kernel_read_system_state(mysqld_t) -kernel_read_kernel_sysctls(mysqld_t) - -corenet_all_recvfrom_unlabeled(mysqld_t) -corenet_all_recvfrom_netlabel(mysqld_t) -corenet_tcp_sendrecv_generic_if(mysqld_t) -corenet_udp_sendrecv_generic_if(mysqld_t) -corenet_tcp_sendrecv_generic_node(mysqld_t) -corenet_udp_sendrecv_generic_node(mysqld_t) -corenet_tcp_sendrecv_all_ports(mysqld_t) -corenet_udp_sendrecv_all_ports(mysqld_t) -corenet_tcp_bind_generic_node(mysqld_t) -corenet_tcp_bind_mysqld_port(mysqld_t) -corenet_tcp_connect_mysqld_port(mysqld_t) -corenet_sendrecv_mysqld_client_packets(mysqld_t) -corenet_sendrecv_mysqld_server_packets(mysqld_t) - -dev_read_sysfs(mysqld_t) -dev_read_urand(mysqld_t) - -fs_getattr_all_fs(mysqld_t) -fs_search_auto_mountpoints(mysqld_t) -fs_rw_hugetlbfs_files(mysqld_t) - -domain_use_interactive_fds(mysqld_t) - -files_getattr_var_lib_dirs(mysqld_t) -files_read_etc_runtime_files(mysqld_t) -files_read_etc_files(mysqld_t) -files_read_usr_files(mysqld_t) -files_search_var_lib(mysqld_t) - -auth_use_nsswitch(mysqld_t) - -logging_send_syslog_msg(mysqld_t) - -miscfiles_read_localization(mysqld_t) - -sysnet_read_config(mysqld_t) - -userdom_dontaudit_use_unpriv_user_fds(mysqld_t) -# for /root/.my.cnf - should not be needed: -userdom_read_user_home_content_files(mysqld_t) - -ifdef(`distro_redhat',` - # because Fedora has the sock_file in the database directory - type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; -') - -tunable_policy(`mysql_connect_any',` - corenet_tcp_connect_all_ports(mysqld_t) - corenet_sendrecv_all_client_packets(mysqld_t) -') - -optional_policy(` - daemontools_service_domain(mysqld_t, mysqld_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(mysqld_t) -') - -optional_policy(` - udev_read_db(mysqld_t) -') - -####################################### -# -# Local mysqld_safe policy -# - -allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -dontaudit mysqld_safe_t self:capability sys_ptrace; -allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - -read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - -domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) - -allow mysqld_safe_t mysqld_log_t:file manage_file_perms; - -manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) - -kernel_read_system_state(mysqld_safe_t) -kernel_read_kernel_sysctls(mysqld_safe_t) - -corecmd_exec_bin(mysqld_safe_t) - -dev_list_sysfs(mysqld_safe_t) - -domain_read_all_domains_state(mysqld_safe_t) - -files_read_etc_files(mysqld_safe_t) -files_read_usr_files(mysqld_safe_t) -files_dontaudit_getattr_all_dirs(mysqld_safe_t) - -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - -hostname_exec(mysqld_safe_t) - -miscfiles_read_localization(mysqld_safe_t) - -mysql_manage_db_files(mysqld_safe_t) -mysql_read_config(mysqld_safe_t) -mysql_search_pid_files(mysqld_safe_t) -mysql_write_log(mysqld_safe_t) - -######################################## -# -# MySQL Manager Policy -# - -allow mysqlmanagerd_t self:capability { dac_override kill }; -allow mysqlmanagerd_t self:process signal; -allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; -allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; -allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; - -mysql_read_config(initrc_t) -mysql_read_config(mysqlmanagerd_t) -mysql_read_pid_files(mysqlmanagerd_t) -mysql_search_db(mysqlmanagerd_t) -mysql_signal(mysqlmanagerd_t) -mysql_stream_connect(mysqlmanagerd_t) - -domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) - -manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) - -kernel_read_system_state(mysqlmanagerd_t) - -corecmd_exec_shell(mysqlmanagerd_t) - -corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) -corenet_all_recvfrom_netlabel(mysqlmanagerd_t) -corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) -corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) -corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) -corenet_tcp_bind_generic_node(mysqlmanagerd_t) -corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) -corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) -corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) -corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) - -dev_read_urand(mysqlmanagerd_t) - -files_read_etc_files(mysqlmanagerd_t) -files_read_usr_files(mysqlmanagerd_t) - -miscfiles_read_localization(mysqlmanagerd_t) - -userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc deleted file mode 100644 index 1fc990575..000000000 --- a/policy/modules/services/nagios.fc +++ /dev/null @@ -1,88 +0,0 @@ -/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) -/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - -/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - -/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - -/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - -/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) - -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) - -ifdef(`distro_debian',` -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -') -/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - -# admin plugins -/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) - -# check disk plugins -/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - -# mail plugins -/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) - -# system plugins -/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - -# services plugins -/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - -# unconfined plugins -/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if deleted file mode 100644 index 8581040e9..000000000 --- a/policy/modules/services/nagios.if +++ /dev/null @@ -1,229 +0,0 @@ -## Net Saint / NAGIOS - network monitoring server - -######################################## -## -## Create a set of derived types for various -## nagios plugins, -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`nagios_plugin_template',` - - gen_require(` - type nagios_t, nrpe_t; - type nagios_log_t; - ') - - type nagios_$1_plugin_t; - type nagios_$1_plugin_exec_t; - application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) - role system_r types nagios_$1_plugin_t; - - allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; - - domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - - # needed by command.cfg - domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - - allow nagios_t nagios_$1_plugin_t:process signal_perms; - - # cjp: leaked file descriptor - dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; - dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; - - miscfiles_read_localization(nagios_$1_plugin_t) -') - -######################################## -## -## Do not audit attempts to read or write nagios -## unnamed pipes. -## -## -## -## Domain to not audit. -## -## -## -# -interface(`nagios_dontaudit_rw_pipes',` - gen_require(` - type nagios_t; - ') - - dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Allow the specified domain to read -## nagios configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`nagios_read_config',` - gen_require(` - type nagios_etc_t; - ') - - allow $1 nagios_etc_t:dir list_dir_perms; - allow $1 nagios_etc_t:file read_file_perms; - files_search_etc($1) -') - -###################################### -## -## Read nagios logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_read_log',` - gen_require(` - type nagios_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, nagios_log_t, nagios_log_t) -') - -######################################## -## -## Do not audit attempts to read or write nagios logs. -## -## -## -## Domain to not audit. -## -## -# -interface(`nagios_dontaudit_rw_log',` - gen_require(` - type nagios_log_t; - ') - - dontaudit $1 nagios_log_t:file rw_file_perms; -') - -######################################## -## -## Search nagios spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_search_spool',` - gen_require(` - type nagios_spool_t; - ') - - allow $1 nagios_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Allow the specified domain to read -## nagios temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_read_tmp_files',` - gen_require(` - type nagios_tmp_t; - ') - - allow $1 nagios_tmp_t:file read_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Execute the nagios NRPE with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nagios_domtrans_nrpe',` - gen_require(` - type nrpe_t, nrpe_exec_t; - ') - - domtrans_pattern($1, nrpe_exec_t, nrpe_t) -') - -######################################## -## -## All of the rules required to administrate -## an nagios environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the nagios domain. -## -## -## -# -interface(`nagios_admin',` - gen_require(` - type nagios_t, nrpe_t; - type nagios_tmp_t, nagios_log_t; - type nagios_etc_t, nrpe_etc_t; - type nagios_spool_t, nagios_var_run_t; - type nagios_initrc_exec_t; - ') - - allow $1 nagios_t:process { ptrace signal_perms }; - ps_process_pattern($1, nagios_t) - - init_labeled_script_domtrans($1, nagios_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nagios_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, nagios_tmp_t) - - logging_list_logs($1) - admin_pattern($1, nagios_log_t) - - files_list_etc($1) - admin_pattern($1, nagios_etc_t) - - files_list_spool($1) - admin_pattern($1, nagios_spool_t) - - files_list_pids($1) - admin_pattern($1, nagios_var_run_t) - - admin_pattern($1, nrpe_etc_t) -') diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te deleted file mode 100644 index 07017da55..000000000 --- a/policy/modules/services/nagios.te +++ /dev/null @@ -1,392 +0,0 @@ -policy_module(nagios, 1.10.2) - -######################################## -# -# Declarations -# - -type nagios_t; -type nagios_exec_t; -init_daemon_domain(nagios_t, nagios_exec_t) - -type nagios_etc_t; -files_config_file(nagios_etc_t) - -type nagios_initrc_exec_t; -init_script_file(nagios_initrc_exec_t) - -type nagios_log_t; -logging_log_file(nagios_log_t) - -type nagios_tmp_t; -files_tmp_file(nagios_tmp_t) - -type nagios_var_run_t; -files_pid_file(nagios_var_run_t) - -type nagios_spool_t; -files_type(nagios_spool_t) - -nagios_plugin_template(admin) -nagios_plugin_template(checkdisk) -nagios_plugin_template(mail) -nagios_plugin_template(services) -nagios_plugin_template(system) -nagios_plugin_template(unconfined) - -type nagios_system_plugin_tmp_t; -files_tmp_file(nagios_system_plugin_tmp_t) - -type nrpe_t; -type nrpe_exec_t; -init_daemon_domain(nrpe_t, nrpe_exec_t) - -type nrpe_etc_t; -files_config_file(nrpe_etc_t) - -type nrpe_var_run_t; -files_pid_file(nrpe_var_run_t) - -######################################## -# -# Nagios local policy -# - -allow nagios_t self:capability { dac_override setgid setuid }; -dontaudit nagios_t self:capability sys_tty_config; -allow nagios_t self:process { setpgid signal_perms }; -allow nagios_t self:fifo_file rw_file_perms; -allow nagios_t self:tcp_socket create_stream_socket_perms; -allow nagios_t self:udp_socket create_socket_perms; - -read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) -allow nagios_t nagios_etc_t:dir list_dir_perms; - -manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -logging_log_filetrans(nagios_t, nagios_log_t, { file dir }) - -manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir }) - -manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) -files_pid_filetrans(nagios_t, nagios_var_run_t, file) - -manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) - -kernel_read_system_state(nagios_t) -kernel_read_kernel_sysctls(nagios_t) - -corecmd_exec_bin(nagios_t) -corecmd_exec_shell(nagios_t) - -corenet_all_recvfrom_unlabeled(nagios_t) -corenet_all_recvfrom_netlabel(nagios_t) -corenet_tcp_sendrecv_generic_if(nagios_t) -corenet_udp_sendrecv_generic_if(nagios_t) -corenet_tcp_sendrecv_generic_node(nagios_t) -corenet_udp_sendrecv_generic_node(nagios_t) -corenet_tcp_sendrecv_all_ports(nagios_t) -corenet_udp_sendrecv_all_ports(nagios_t) -corenet_tcp_connect_all_ports(nagios_t) - -corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) -corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) - -dev_read_sysfs(nagios_t) -dev_read_urand(nagios_t) - -domain_use_interactive_fds(nagios_t) -# for ps -domain_read_all_domains_state(nagios_t) - -files_read_etc_files(nagios_t) -files_read_etc_runtime_files(nagios_t) -files_read_kernel_symbol_table(nagios_t) -files_search_spool(nagios_t) - -fs_getattr_all_fs(nagios_t) -fs_search_auto_mountpoints(nagios_t) - -# for who -init_read_utmp(nagios_t) - -auth_use_nsswitch(nagios_t) - -logging_send_syslog_msg(nagios_t) - -miscfiles_read_localization(nagios_t) - -userdom_dontaudit_use_unpriv_user_fds(nagios_t) -userdom_dontaudit_search_user_home_dirs(nagios_t) - -mta_send_mail(nagios_t) - -optional_policy(` - netutils_domtrans_ping(nagios_t) - netutils_signal_ping(nagios_t) - netutils_kill_ping(nagios_t) -') - -optional_policy(` - seutil_sigchld_newrole(nagios_t) -') - -optional_policy(` - udev_read_db(nagios_t) -') - -######################################## -# -# Nagios CGI local policy -# -optional_policy(` - apache_content_template(nagios) - typealias httpd_nagios_script_t alias nagios_cgi_t; - typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; - - allow httpd_nagios_script_t self:process signal_perms; - - read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - - files_search_spool(httpd_nagios_script_t) - rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) - - allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; - read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) - - allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; - read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - - kernel_read_system_state(httpd_nagios_script_t) - - domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) - - files_read_etc_runtime_files(httpd_nagios_script_t) - files_read_kernel_symbol_table(httpd_nagios_script_t) - - logging_send_syslog_msg(httpd_nagios_script_t) -') - -######################################## -# -# Nagios remote plugin executor local policy -# - -allow nrpe_t self:capability { setuid setgid }; -dontaudit nrpe_t self:capability {sys_tty_config sys_resource}; -allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; -allow nrpe_t self:fifo_file rw_fifo_file_perms; -allow nrpe_t self:tcp_socket create_stream_socket_perms; - -domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) - -read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) -files_search_etc(nrpe_t) - -manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) -files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) - -kernel_read_system_state(nrpe_t) -kernel_read_kernel_sysctls(nrpe_t) - -corecmd_exec_bin(nrpe_t) -corecmd_exec_shell(nrpe_t) - -corenet_tcp_bind_generic_node(nrpe_t) -corenet_tcp_bind_inetd_child_port(nrpe_t) -corenet_sendrecv_unlabeled_packets(nrpe_t) - -dev_read_sysfs(nrpe_t) -dev_read_urand(nrpe_t) - -domain_use_interactive_fds(nrpe_t) -domain_read_all_domains_state(nrpe_t) - -files_read_etc_runtime_files(nrpe_t) -files_read_etc_files(nrpe_t) - -fs_getattr_all_fs(nrpe_t) -fs_search_auto_mountpoints(nrpe_t) - -auth_use_nsswitch(nrpe_t) - -logging_send_syslog_msg(nrpe_t) - -miscfiles_read_localization(nrpe_t) - -userdom_dontaudit_use_unpriv_user_fds(nrpe_t) - -optional_policy(` - inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) -') - -optional_policy(` - mta_send_mail(nrpe_t) -') - -optional_policy(` - seutil_sigchld_newrole(nrpe_t) -') - -optional_policy(` - tcpd_wrapped_domain(nrpe_t, nrpe_exec_t) -') - -optional_policy(` - udev_read_db(nrpe_t) -') - -##################################### -# -# local policy for admin check plugins -# - -corecmd_read_bin_files(nagios_admin_plugin_t) -corecmd_read_bin_symlinks(nagios_admin_plugin_t) - -dev_read_urand(nagios_admin_plugin_t) -dev_getattr_all_chr_files(nagios_admin_plugin_t) -dev_getattr_all_blk_files(nagios_admin_plugin_t) - -files_read_etc_files(nagios_admin_plugin_t) -# for check_file_age plugin -files_getattr_all_dirs(nagios_admin_plugin_t) -files_getattr_all_files(nagios_admin_plugin_t) -files_getattr_all_symlinks(nagios_admin_plugin_t) -files_getattr_all_pipes(nagios_admin_plugin_t) -files_getattr_all_sockets(nagios_admin_plugin_t) -files_getattr_all_file_type_fs(nagios_admin_plugin_t) - -###################################### -# -# local policy for mail check plugins -# - -allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; - -allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; -allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; -allow nagios_mail_plugin_t self:udp_socket create_socket_perms; - -kernel_read_system_state(nagios_mail_plugin_t) -kernel_read_kernel_sysctls(nagios_mail_plugin_t) - -corecmd_read_bin_files(nagios_mail_plugin_t) -corecmd_read_bin_symlinks(nagios_mail_plugin_t) - -dev_read_urand(nagios_mail_plugin_t) - -files_read_etc_files(nagios_mail_plugin_t) - -logging_send_syslog_msg(nagios_mail_plugin_t) - -sysnet_read_config(nagios_mail_plugin_t) - -optional_policy(` - mta_send_mail(nagios_mail_plugin_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(nagios_mail_plugin_t) -') - -optional_policy(` - postfix_stream_connect_master(nagios_mail_plugin_t) - posftix_exec_postqueue(nagios_mail_plugin_t) -') - -###################################### -# -# local policy for disk check plugins -# - -# needed by ioctl() -allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; - -files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) -files_read_etc_runtime_files(nagios_checkdisk_plugin_t) - -fs_getattr_all_fs(nagios_checkdisk_plugin_t) - -storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) - -####################################### -# -# local policy for service check plugins -# - -allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; -allow nagios_services_plugin_t self:process { signal sigkill }; - -allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; -allow nagios_services_plugin_t self:udp_socket create_socket_perms; - -corecmd_exec_bin(nagios_services_plugin_t) - -corenet_tcp_connect_all_ports(nagios_services_plugin_t) -corenet_udp_bind_dhcpc_port(nagios_services_plugin_t) - -auth_use_nsswitch(nagios_services_plugin_t) - -domain_read_all_domains_state(nagios_services_plugin_t) - -files_read_usr_files(nagios_services_plugin_t) - -optional_policy(` - netutils_domtrans_ping(nagios_services_plugin_t) -') - -optional_policy(` - mysql_stream_connect(nagios_services_plugin_t) -') - -optional_policy(` - snmp_read_snmp_var_lib_files(nagios_services_plugin_t) -') - -###################################### -# -# local policy for system check plugins -# - -allow nagios_system_plugin_t self:capability dac_override; -dontaudit nagios_system_plugin_t self:capability { setuid setgid }; - -# check_log -manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) -manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) -files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) - -kernel_read_system_state(nagios_system_plugin_t) -kernel_read_kernel_sysctls(nagios_system_plugin_t) - -corecmd_exec_bin(nagios_system_plugin_t) -corecmd_exec_shell(nagios_system_plugin_t) - -dev_read_sysfs(nagios_system_plugin_t) -dev_read_urand(nagios_system_plugin_t) - -domain_read_all_domains_state(nagios_system_plugin_t) - -files_read_etc_files(nagios_system_plugin_t) - -# needed by check_users plugin -optional_policy(` - init_read_utmp(nagios_system_plugin_t) -') - -######################################## -# -# Unconfined plugin policy -# - -optional_policy(` - unconfined_domain(nagios_unconfined_plugin_t) -') diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc deleted file mode 100644 index 74da57f8e..000000000 --- a/policy/modules/services/nessus.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0) - -/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0) - -/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) - -/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0) - -/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0) diff --git a/policy/modules/services/nessus.if b/policy/modules/services/nessus.if deleted file mode 100644 index 6ec80038a..000000000 --- a/policy/modules/services/nessus.if +++ /dev/null @@ -1,15 +0,0 @@ -## Nessus network scanning daemon - -######################################## -## -## Connect to nessus over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nessus_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te deleted file mode 100644 index b16c38731..000000000 --- a/policy/modules/services/nessus.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(nessus, 1.7.0) - -######################################## -# -# Local policy -# - -type nessusd_t; -type nessusd_exec_t; -init_daemon_domain(nessusd_t, nessusd_exec_t) - -type nessusd_db_t; -files_type(nessusd_db_t) - -type nessusd_etc_t; -files_config_file(nessusd_etc_t) - -type nessusd_log_t; -logging_log_file(nessusd_log_t) - -type nessusd_var_run_t; -files_pid_file(nessusd_var_run_t) - -######################################## -# -# Declarations -# - -allow nessusd_t self:capability net_raw; -dontaudit nessusd_t self:capability sys_tty_config; -allow nessusd_t self:process { setsched signal_perms }; -allow nessusd_t self:fifo_file rw_fifo_file_perms; -allow nessusd_t self:tcp_socket create_stream_socket_perms; -allow nessusd_t self:udp_socket create_socket_perms; -allow nessusd_t self:rawip_socket create_socket_perms; -allow nessusd_t self:packet_socket create_socket_perms; - -# Allow access to the nessusd authentication database -manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) -files_list_var_lib(nessusd_t) - -allow nessusd_t nessusd_etc_t:file read_file_perms; -files_search_etc(nessusd_t) - -manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) -logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir }) - -manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t) -files_pid_filetrans(nessusd_t, nessusd_var_run_t, file) - -kernel_read_system_state(nessusd_t) -kernel_read_kernel_sysctls(nessusd_t) - -# for nmap etc -corecmd_exec_bin(nessusd_t) - -corenet_all_recvfrom_unlabeled(nessusd_t) -corenet_all_recvfrom_netlabel(nessusd_t) -corenet_tcp_sendrecv_generic_if(nessusd_t) -corenet_udp_sendrecv_generic_if(nessusd_t) -corenet_raw_sendrecv_generic_if(nessusd_t) -corenet_tcp_sendrecv_generic_node(nessusd_t) -corenet_udp_sendrecv_generic_node(nessusd_t) -corenet_raw_sendrecv_generic_node(nessusd_t) -corenet_tcp_sendrecv_all_ports(nessusd_t) -corenet_udp_sendrecv_all_ports(nessusd_t) -corenet_tcp_bind_generic_node(nessusd_t) -corenet_tcp_bind_nessus_port(nessusd_t) -corenet_tcp_connect_all_ports(nessusd_t) -corenet_sendrecv_all_client_packets(nessusd_t) -corenet_sendrecv_nessus_server_packets(nessusd_t) - -dev_read_sysfs(nessusd_t) -dev_read_urand(nessusd_t) - -domain_use_interactive_fds(nessusd_t) - -files_read_etc_files(nessusd_t) -files_read_etc_runtime_files(nessusd_t) - -fs_getattr_all_fs(nessusd_t) -fs_search_auto_mountpoints(nessusd_t) - -logging_send_syslog_msg(nessusd_t) - -miscfiles_read_localization(nessusd_t) - -sysnet_read_config(nessusd_t) - -userdom_dontaudit_use_unpriv_user_fds(nessusd_t) -userdom_dontaudit_search_user_home_dirs(nessusd_t) - -optional_policy(` - nis_use_ypbind(nessusd_t) -') - -optional_policy(` - seutil_sigchld_newrole(nessusd_t) -') - -optional_policy(` - udev_read_db(nessusd_t) -') diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc deleted file mode 100644 index 386543b82..000000000 --- a/policy/modules/services/networkmanager.fc +++ /dev/null @@ -1,26 +0,0 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - -/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - -/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - -/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) -/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) - -/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) -/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - -/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if deleted file mode 100644 index 2324d9e5c..000000000 --- a/policy/modules/services/networkmanager.if +++ /dev/null @@ -1,193 +0,0 @@ -## Manager for dynamically switching between networks. - -######################################## -## -## Read and write NetworkManager UDP sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`networkmanager_rw_udp_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:udp_socket { read write }; -') - -######################################## -## -## Read and write NetworkManager packet sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`networkmanager_rw_packet_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:packet_socket { read write }; -') - -####################################### -## -## Allow caller to relabel tun_socket -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_attach_tun_iface',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## -## Read and write NetworkManager netlink -## routing sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`networkmanager_rw_routing_sockets',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:netlink_route_socket { read write }; -') - -######################################## -## -## Execute NetworkManager with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`networkmanager_domtrans',` - gen_require(` - type NetworkManager_t, NetworkManager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) -') - -######################################## -## -## Execute NetworkManager scripts with an automatic domain transition to initrc. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`networkmanager_initrc_domtrans',` - gen_require(` - type NetworkManager_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -') - -######################################## -## -## Send and receive messages from -## NetworkManager over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_dbus_chat',` - gen_require(` - type NetworkManager_t; - class dbus send_msg; - ') - - allow $1 NetworkManager_t:dbus send_msg; - allow NetworkManager_t $1:dbus send_msg; -') - -######################################## -## -## Send a generic signal to NetworkManager -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_signal',` - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:process signal; -') - -######################################## -## -## Read NetworkManager lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_read_lib_files',` - gen_require(` - type NetworkManager_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -') - -######################################## -## -## Read NetworkManager PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`networkmanager_read_pid_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; -') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te deleted file mode 100644 index 061939528..000000000 --- a/policy/modules/services/networkmanager.te +++ /dev/null @@ -1,289 +0,0 @@ -policy_module(networkmanager, 1.14.0) - -######################################## -# -# Declarations -# - -type NetworkManager_t; -type NetworkManager_exec_t; -init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) - -type NetworkManager_initrc_exec_t; -init_script_file(NetworkManager_initrc_exec_t) - -type NetworkManager_log_t; -logging_log_file(NetworkManager_log_t) - -type NetworkManager_tmp_t; -files_tmp_file(NetworkManager_tmp_t) - -type NetworkManager_var_lib_t; -files_type(NetworkManager_var_lib_t) - -type NetworkManager_var_run_t; -files_pid_file(NetworkManager_var_run_t) - -type wpa_cli_t; -type wpa_cli_exec_t; -init_system_domain(wpa_cli_t, wpa_cli_exec_t) - -######################################## -# -# Local policy -# - -# networkmanager will ptrace itself if gdb is installed -# and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; -allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; -allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; -allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; -allow NetworkManager_t self:tcp_socket create_stream_socket_perms; -allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom }; -allow NetworkManager_t self:udp_socket create_socket_perms; -allow NetworkManager_t self:packet_socket create_socket_perms; - -allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; - -can_exec(NetworkManager_t, NetworkManager_exec_t) - -manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) -logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - -manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) - -manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) - -manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) - -kernel_read_system_state(NetworkManager_t) -kernel_read_network_state(NetworkManager_t) -kernel_read_kernel_sysctls(NetworkManager_t) -kernel_request_load_module(NetworkManager_t) -kernel_read_debugfs(NetworkManager_t) -kernel_rw_net_sysctls(NetworkManager_t) - -corenet_all_recvfrom_unlabeled(NetworkManager_t) -corenet_all_recvfrom_netlabel(NetworkManager_t) -corenet_tcp_sendrecv_generic_if(NetworkManager_t) -corenet_udp_sendrecv_generic_if(NetworkManager_t) -corenet_raw_sendrecv_generic_if(NetworkManager_t) -corenet_tcp_sendrecv_generic_node(NetworkManager_t) -corenet_udp_sendrecv_generic_node(NetworkManager_t) -corenet_raw_sendrecv_generic_node(NetworkManager_t) -corenet_tcp_sendrecv_all_ports(NetworkManager_t) -corenet_udp_sendrecv_all_ports(NetworkManager_t) -corenet_udp_bind_generic_node(NetworkManager_t) -corenet_udp_bind_isakmp_port(NetworkManager_t) -corenet_udp_bind_dhcpc_port(NetworkManager_t) -corenet_tcp_connect_all_ports(NetworkManager_t) -corenet_sendrecv_isakmp_server_packets(NetworkManager_t) -corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) -corenet_sendrecv_all_client_packets(NetworkManager_t) -corenet_rw_tun_tap_dev(NetworkManager_t) -corenet_getattr_ppp_dev(NetworkManager_t) - -dev_read_sysfs(NetworkManager_t) -dev_read_rand(NetworkManager_t) -dev_read_urand(NetworkManager_t) -dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) -dev_getattr_all_chr_files(NetworkManager_t) - -fs_getattr_all_fs(NetworkManager_t) -fs_search_auto_mountpoints(NetworkManager_t) -fs_list_inotifyfs(NetworkManager_t) - -mls_file_read_all_levels(NetworkManager_t) - -selinux_dontaudit_search_fs(NetworkManager_t) - -corecmd_exec_shell(NetworkManager_t) -corecmd_exec_bin(NetworkManager_t) - -domain_use_interactive_fds(NetworkManager_t) -domain_read_confined_domains_state(NetworkManager_t) - -files_read_etc_files(NetworkManager_t) -files_read_etc_runtime_files(NetworkManager_t) -files_read_usr_files(NetworkManager_t) -files_read_usr_src_files(NetworkManager_t) - -storage_getattr_fixed_disk_dev(NetworkManager_t) - -init_read_utmp(NetworkManager_t) -init_dontaudit_write_utmp(NetworkManager_t) -init_domtrans_script(NetworkManager_t) - -auth_use_nsswitch(NetworkManager_t) - -logging_send_syslog_msg(NetworkManager_t) - -miscfiles_read_localization(NetworkManager_t) -miscfiles_read_generic_certs(NetworkManager_t) - -modutils_domtrans_insmod(NetworkManager_t) - -seutil_read_config(NetworkManager_t) - -sysnet_domtrans_ifconfig(NetworkManager_t) -sysnet_domtrans_dhcpc(NetworkManager_t) -sysnet_signal_dhcpc(NetworkManager_t) -sysnet_read_dhcpc_pid(NetworkManager_t) -sysnet_delete_dhcpc_pid(NetworkManager_t) -sysnet_search_dhcp_state(NetworkManager_t) -# in /etc created by NetworkManager will be labelled net_conf_t. -sysnet_manage_config(NetworkManager_t) -sysnet_etc_filetrans_config(NetworkManager_t) - -userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) -userdom_dontaudit_use_user_ttys(NetworkManager_t) -# Read gnome-keyring -userdom_read_user_home_content_files(NetworkManager_t) - -optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) - avahi_signull(NetworkManager_t) -') - -optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) - bind_kill(NetworkManager_t) - bind_signal(NetworkManager_t) - bind_signull(NetworkManager_t) -') - -optional_policy(` - bluetooth_dontaudit_read_helper_state(NetworkManager_t) -') - -optional_policy(` - consoletype_exec(NetworkManager_t) -') - -optional_policy(` - dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) - - optional_policy(` - consolekit_dbus_chat(NetworkManager_t) - ') -') - -optional_policy(` - dnsmasq_read_pid_files(NetworkManager_t) - dnsmasq_delete_pid_files(NetworkManager_t) - dnsmasq_domtrans(NetworkManager_t) - dnsmasq_initrc_domtrans(NetworkManager_t) - dnsmasq_kill(NetworkManager_t) - dnsmasq_signal(NetworkManager_t) - dnsmasq_signull(NetworkManager_t) -') - -optional_policy(` - hal_write_log(NetworkManager_t) -') - -optional_policy(` - howl_signal(NetworkManager_t) -') - -optional_policy(` - iptables_domtrans(NetworkManager_t) -') - -optional_policy(` - nscd_domtrans(NetworkManager_t) - nscd_signal(NetworkManager_t) - nscd_signull(NetworkManager_t) - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) -') - -optional_policy(` - # Dispatcher starting and stoping ntp - ntp_initrc_domtrans(NetworkManager_t) -') - -optional_policy(` - openvpn_domtrans(NetworkManager_t) - openvpn_kill(NetworkManager_t) - openvpn_signal(NetworkManager_t) - openvpn_signull(NetworkManager_t) -') - -optional_policy(` - policykit_dbus_chat(NetworkManager_t) - policykit_domtrans_auth(NetworkManager_t) - policykit_read_lib(NetworkManager_t) - policykit_read_reload(NetworkManager_t) - userdom_read_all_users_state(NetworkManager_t) -') - -optional_policy(` - ppp_initrc_domtrans(NetworkManager_t) - ppp_domtrans(NetworkManager_t) - ppp_manage_pid_files(NetworkManager_t) - ppp_kill(NetworkManager_t) - ppp_signal(NetworkManager_t) - ppp_signull(NetworkManager_t) - ppp_read_config(NetworkManager_t) -') - -optional_policy(` - rpm_exec(NetworkManager_t) - rpm_read_db(NetworkManager_t) - rpm_dontaudit_manage_db(NetworkManager_t) -') - -optional_policy(` - seutil_sigchld_newrole(NetworkManager_t) -') - -optional_policy(` - udev_exec(NetworkManager_t) - udev_read_db(NetworkManager_t) -') - -optional_policy(` - vpn_domtrans(NetworkManager_t) - vpn_kill(NetworkManager_t) - vpn_signal(NetworkManager_t) - vpn_signull(NetworkManager_t) -') - -######################################## -# -# wpa_cli local policy -# - -allow wpa_cli_t self:capability dac_override; -allow wpa_cli_t self:unix_dgram_socket create_socket_perms; - -allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; - -manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) - -list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) - -init_dontaudit_use_fds(wpa_cli_t) -init_use_script_ptys(wpa_cli_t) - -miscfiles_read_localization(wpa_cli_t) - -term_dontaudit_use_console(wpa_cli_t) diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc deleted file mode 100644 index 15448d534..000000000 --- a/policy/modules/services/nis.fc +++ /dev/null @@ -1,21 +0,0 @@ -/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - -/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - -/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - -/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) -/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) - -/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) - -/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) -/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) -/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) -/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if deleted file mode 100644 index abe3f7f3a..000000000 --- a/policy/modules/services/nis.if +++ /dev/null @@ -1,396 +0,0 @@ -## Policy for NIS (YP) servers and clients - -######################################## -## -## Use the ypbind service to access NIS services -## unconditionally. -## -## -##

-## Use the ypbind service to access NIS services -## unconditionally. -##

-##

-## This interface was added because of apache and -## spamassassin, to fix a nested conditionals problem. -## When that support is added, this should be removed, -## and the regular interface should be used. -##

-## -## -## -## Domain allowed access. -## -## -# -interface(`nis_use_ypbind_uncond',` - gen_require(` - type var_yp_t; - ') - - allow $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - allow $1 var_yp_t:dir list_dir_perms; - allow $1 var_yp_t:lnk_file { getattr read }; - allow $1 var_yp_t:file read_file_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_all_ports($1) - corenet_udp_sendrecv_all_ports($1) - corenet_tcp_bind_generic_node($1) - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) - corenet_tcp_connect_reserved_port($1) - corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_ports($1) - corenet_sendrecv_portmap_client_packets($1) - corenet_sendrecv_generic_client_packets($1) - corenet_sendrecv_generic_server_packets($1) - - sysnet_read_config($1) -') - -######################################## -## -## Use the ypbind service to access NIS services. -## -## -##

-## Allow the specified domain to use the ypbind service -## to access Network Information Service (NIS) services. -## Information that can be retreived from NIS includes -## usernames, passwords, home directories, and groups. -## If the network is configured to have a single sign-on -## using NIS, it is likely that any program that does -## authentication will need this access. -##

-## -## -## -## Domain allowed access. -## -## -## -## -# -interface(`nis_use_ypbind',` - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - ') -') - -######################################## -## -## Use the nis to authenticate passwords -## -## -## -## Domain allowed access. -## -## -## -# -interface(`nis_authenticate',` - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - corenet_tcp_bind_all_rpc_ports($1) - corenet_udp_bind_all_rpc_ports($1) - ') -') - -######################################## -## -## Execute ypbind in the ypbind domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nis_domtrans_ypbind',` - gen_require(` - type ypbind_t, ypbind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypbind_exec_t, ypbind_t) -') - -######################################## -## -## Execute ypbind in the ypbind domain, and -## allow the specified role the ypbind domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`nis_run_ypbind',` - gen_require(` - type ypbind_t; - ') - - nis_domtrans_ypbind($1) - role $2 types ypbind_t; -') - -######################################## -## -## Send generic signals to ypbind. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_signal_ypbind',` - gen_require(` - type ypbind_t; - ') - - allow $1 ypbind_t:process signal; -') - -######################################## -## -## List the contents of the NIS data directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_list_var_yp',` - gen_require(` - type var_yp_t; - ') - - files_search_var($1) - allow $1 var_yp_t:dir list_dir_perms; -') - -######################################## -## -## Send UDP network traffic to NIS clients. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_udp_send_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to ypbind over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_tcp_connect_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read ypbind pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_read_ypbind_pid',` - gen_require(` - type ypbind_var_run_t; - ') - - files_search_pids($1) - allow $1 ypbind_var_run_t:file read_file_perms; -') - -######################################## -## -## Delete ypbind pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_delete_ypbind_pid',` - gen_require(` - type ypbind_t; - ') - - # TODO: add delete pid from dir call to files - allow $1 ypbind_t:file unlink; -') - -######################################## -## -## Read ypserv configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nis_read_ypserv_config',` - gen_require(` - type ypserv_conf_t; - ') - - files_search_etc($1) - allow $1 ypserv_conf_t:file read_file_perms; -') - -######################################## -## -## Execute ypxfr in the ypxfr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nis_domtrans_ypxfr',` - gen_require(` - type ypxfr_t, ypxfr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) -') - -######################################## -## -## Execute nis server in the nis domain. -## -## -## -## Domain allowed to transition. -## -## -# -# -interface(`nis_initrc_domtrans',` - gen_require(` - type nis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nis_initrc_exec_t) -') - -######################################## -## -## Execute nis server in the nis domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nis_initrc_domtrans_ypbind',` - gen_require(` - type ypbind_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ypbind_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an nis environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`nis_admin',` - gen_require(` - type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; - type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; - type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t; - ') - - allow $1 ypbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, ypbind_t) - - allow $1 yppasswdd_t:process { ptrace signal_perms }; - ps_process_pattern($1, yppasswdd_t) - - allow $1 ypserv_t:process { ptrace signal_perms }; - ps_process_pattern($1, ypserv_t) - - allow $1 ypxfr_t:process { ptrace signal_perms }; - ps_process_pattern($1, ypxfr_t) - - nis_initrc_domtrans($1) - nis_initrc_domtrans_ypbind($1) - domain_system_change_exemption($1) - role_transition $2 nis_initrc_exec_t system_r; - role_transition $2 ypbind_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, ypbind_tmp_t) - - files_list_pids($1) - admin_pattern($1, ypbind_var_run_t) - - admin_pattern($1, yppasswdd_var_run_t) - - files_list_etc($1) - admin_pattern($1, ypserv_conf_t) - - admin_pattern($1, ypserv_tmp_t) - - admin_pattern($1, ypserv_var_run_t) -') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te deleted file mode 100644 index 4876caec4..000000000 --- a/policy/modules/services/nis.te +++ /dev/null @@ -1,347 +0,0 @@ -policy_module(nis, 1.10.0) - -######################################## -# -# Declarations -# - -type nis_initrc_exec_t; -init_script_file(nis_initrc_exec_t) - -type var_yp_t; -files_type(var_yp_t) - -type ypbind_t; -type ypbind_exec_t; -init_daemon_domain(ypbind_t, ypbind_exec_t) - -type ypbind_initrc_exec_t; -init_script_file(ypbind_initrc_exec_t) - -type ypbind_tmp_t; -files_tmp_file(ypbind_tmp_t) - -type ypbind_var_run_t; -files_pid_file(ypbind_var_run_t) - -type yppasswdd_t; -type yppasswdd_exec_t; -init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) -domain_obj_id_change_exemption(yppasswdd_t) - -type yppasswdd_var_run_t; -files_pid_file(yppasswdd_var_run_t) - -type ypserv_t; -type ypserv_exec_t; -init_daemon_domain(ypserv_t, ypserv_exec_t) - -type ypserv_conf_t; -files_type(ypserv_conf_t) - -type ypserv_tmp_t; -files_tmp_file(ypserv_tmp_t) - -type ypserv_var_run_t; -files_pid_file(ypserv_var_run_t) - -type ypxfr_t; -type ypxfr_exec_t; -init_daemon_domain(ypxfr_t, ypxfr_exec_t) - -type ypxfr_var_run_t; -files_pid_file(ypxfr_var_run_t) - -######################################## -# -# ypbind local policy - -dontaudit ypbind_t self:capability { net_admin sys_tty_config }; -allow ypbind_t self:fifo_file rw_fifo_file_perms; -allow ypbind_t self:process signal_perms; -allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t self:tcp_socket create_stream_socket_perms; -allow ypbind_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) -manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) -files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) - -manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) -files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) - -manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) - -kernel_read_system_state(ypbind_t) -kernel_read_kernel_sysctls(ypbind_t) - -corenet_all_recvfrom_unlabeled(ypbind_t) -corenet_all_recvfrom_netlabel(ypbind_t) -corenet_tcp_sendrecv_generic_if(ypbind_t) -corenet_udp_sendrecv_generic_if(ypbind_t) -corenet_tcp_sendrecv_generic_node(ypbind_t) -corenet_udp_sendrecv_generic_node(ypbind_t) -corenet_tcp_sendrecv_all_ports(ypbind_t) -corenet_udp_sendrecv_all_ports(ypbind_t) -corenet_tcp_bind_generic_node(ypbind_t) -corenet_udp_bind_generic_node(ypbind_t) -corenet_tcp_bind_generic_port(ypbind_t) -corenet_udp_bind_generic_port(ypbind_t) -corenet_tcp_bind_reserved_port(ypbind_t) -corenet_udp_bind_reserved_port(ypbind_t) -corenet_tcp_bind_all_rpc_ports(ypbind_t) -corenet_udp_bind_all_rpc_ports(ypbind_t) -corenet_tcp_connect_all_ports(ypbind_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) -corenet_sendrecv_all_client_packets(ypbind_t) -corenet_sendrecv_generic_server_packets(ypbind_t) - -dev_read_sysfs(ypbind_t) - -fs_getattr_all_fs(ypbind_t) -fs_search_auto_mountpoints(ypbind_t) - -domain_use_interactive_fds(ypbind_t) - -files_read_etc_files(ypbind_t) -files_list_var(ypbind_t) - -logging_send_syslog_msg(ypbind_t) - -miscfiles_read_localization(ypbind_t) - -sysnet_read_config(ypbind_t) - -userdom_dontaudit_use_unpriv_user_fds(ypbind_t) -userdom_dontaudit_search_user_home_dirs(ypbind_t) - -optional_policy(` - dbus_system_bus_client(ypbind_t) - dbus_connect_system_bus(ypbind_t) - init_dbus_chat_script(ypbind_t) - - optional_policy(` - networkmanager_dbus_chat(ypbind_t) - ') -') - -optional_policy(` - seutil_sigchld_newrole(ypbind_t) -') - -optional_policy(` - udev_read_db(ypbind_t) -') - -######################################## -# -# yppasswdd local policy -# - -allow yppasswdd_t self:capability dac_override; -dontaudit yppasswdd_t self:capability sys_tty_config; -allow yppasswdd_t self:fifo_file rw_fifo_file_perms; -allow yppasswdd_t self:process { getsched setfscreate signal_perms }; -allow yppasswdd_t self:unix_dgram_socket create_socket_perms; -allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; -allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -allow yppasswdd_t self:tcp_socket create_stream_socket_perms; -allow yppasswdd_t self:udp_socket create_socket_perms; - -manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t) -files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) - -manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) -manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) - -kernel_list_proc(yppasswdd_t) -kernel_read_proc_symlinks(yppasswdd_t) -kernel_getattr_proc_files(yppasswdd_t) -kernel_read_kernel_sysctls(yppasswdd_t) - -corenet_all_recvfrom_unlabeled(yppasswdd_t) -corenet_all_recvfrom_netlabel(yppasswdd_t) -corenet_tcp_sendrecv_generic_if(yppasswdd_t) -corenet_udp_sendrecv_generic_if(yppasswdd_t) -corenet_tcp_sendrecv_generic_node(yppasswdd_t) -corenet_udp_sendrecv_generic_node(yppasswdd_t) -corenet_tcp_sendrecv_all_ports(yppasswdd_t) -corenet_udp_sendrecv_all_ports(yppasswdd_t) -corenet_tcp_bind_generic_node(yppasswdd_t) -corenet_udp_bind_generic_node(yppasswdd_t) -corenet_tcp_bind_all_rpc_ports(yppasswdd_t) -corenet_udp_bind_all_rpc_ports(yppasswdd_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) -corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) -corenet_sendrecv_generic_server_packets(yppasswdd_t) - -dev_read_sysfs(yppasswdd_t) - -fs_getattr_all_fs(yppasswdd_t) -fs_search_auto_mountpoints(yppasswdd_t) - -selinux_get_fs_mount(yppasswdd_t) - -auth_manage_shadow(yppasswdd_t) -auth_relabel_shadow(yppasswdd_t) -auth_etc_filetrans_shadow(yppasswdd_t) - -corecmd_exec_bin(yppasswdd_t) -corecmd_exec_shell(yppasswdd_t) - -domain_use_interactive_fds(yppasswdd_t) - -files_read_etc_files(yppasswdd_t) -files_read_etc_runtime_files(yppasswdd_t) -files_relabel_etc_files(yppasswdd_t) - -logging_send_syslog_msg(yppasswdd_t) - -miscfiles_read_localization(yppasswdd_t) - -sysnet_read_config(yppasswdd_t) - -userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) -userdom_dontaudit_search_user_home_dirs(yppasswdd_t) - -optional_policy(` - hostname_exec(yppasswdd_t) -') - -optional_policy(` - seutil_sigchld_newrole(yppasswdd_t) -') - -optional_policy(` - udev_read_db(yppasswdd_t) -') - -######################################## -# -# ypserv local policy -# - -dontaudit ypserv_t self:capability sys_tty_config; -allow ypserv_t self:fifo_file rw_fifo_file_perms; -allow ypserv_t self:process signal_perms; -allow ypserv_t self:unix_dgram_socket create_socket_perms; -allow ypserv_t self:unix_stream_socket create_stream_socket_perms; -allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; -allow ypserv_t self:tcp_socket connected_stream_socket_perms; -allow ypserv_t self:udp_socket create_socket_perms; - -manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) - -allow ypserv_t ypserv_conf_t:file read_file_perms; - -manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) -manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) -files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) - -manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t) -files_pid_filetrans(ypserv_t, ypserv_var_run_t, file) - -kernel_read_kernel_sysctls(ypserv_t) -kernel_list_proc(ypserv_t) -kernel_read_proc_symlinks(ypserv_t) - -corenet_all_recvfrom_unlabeled(ypserv_t) -corenet_all_recvfrom_netlabel(ypserv_t) -corenet_tcp_sendrecv_generic_if(ypserv_t) -corenet_udp_sendrecv_generic_if(ypserv_t) -corenet_tcp_sendrecv_generic_node(ypserv_t) -corenet_udp_sendrecv_generic_node(ypserv_t) -corenet_tcp_sendrecv_all_ports(ypserv_t) -corenet_udp_sendrecv_all_ports(ypserv_t) -corenet_tcp_bind_generic_node(ypserv_t) -corenet_udp_bind_generic_node(ypserv_t) -corenet_tcp_bind_reserved_port(ypserv_t) -corenet_udp_bind_reserved_port(ypserv_t) -corenet_tcp_bind_all_rpc_ports(ypserv_t) -corenet_udp_bind_all_rpc_ports(ypserv_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) -corenet_sendrecv_generic_server_packets(ypserv_t) - -dev_read_sysfs(ypserv_t) - -fs_getattr_all_fs(ypserv_t) -fs_search_auto_mountpoints(ypserv_t) - -corecmd_exec_bin(ypserv_t) - -domain_use_interactive_fds(ypserv_t) - -files_read_var_files(ypserv_t) -files_read_etc_files(ypserv_t) - -logging_send_syslog_msg(ypserv_t) - -miscfiles_read_localization(ypserv_t) - -nis_domtrans_ypxfr(ypserv_t) - -sysnet_read_config(ypserv_t) - -userdom_dontaudit_use_unpriv_user_fds(ypserv_t) -userdom_dontaudit_search_user_home_dirs(ypserv_t) - -optional_policy(` - seutil_sigchld_newrole(ypserv_t) -') - -optional_policy(` - udev_read_db(ypserv_t) -') - -######################################## -# -# ypxfr local policy -# - -allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; -allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms; -allow ypxfr_t self:tcp_socket create_stream_socket_perms; -allow ypxfr_t self:udp_socket create_socket_perms; -allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; - -manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t) - -allow ypxfr_t ypserv_t:tcp_socket { read write }; -allow ypxfr_t ypserv_t:udp_socket { read write }; - -allow ypxfr_t ypserv_conf_t:file read_file_perms; - -manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) -files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) - -corenet_all_recvfrom_unlabeled(ypxfr_t) -corenet_all_recvfrom_netlabel(ypxfr_t) -corenet_tcp_sendrecv_generic_if(ypxfr_t) -corenet_udp_sendrecv_generic_if(ypxfr_t) -corenet_tcp_sendrecv_generic_node(ypxfr_t) -corenet_udp_sendrecv_generic_node(ypxfr_t) -corenet_tcp_sendrecv_all_ports(ypxfr_t) -corenet_udp_sendrecv_all_ports(ypxfr_t) -corenet_tcp_bind_generic_node(ypxfr_t) -corenet_udp_bind_generic_node(ypxfr_t) -corenet_tcp_bind_reserved_port(ypxfr_t) -corenet_udp_bind_reserved_port(ypxfr_t) -corenet_tcp_bind_all_rpc_ports(ypxfr_t) -corenet_udp_bind_all_rpc_ports(ypxfr_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) -corenet_tcp_connect_all_ports(ypxfr_t) -corenet_sendrecv_generic_server_packets(ypxfr_t) -corenet_sendrecv_all_client_packets(ypxfr_t) - -files_read_etc_files(ypxfr_t) -files_search_usr(ypxfr_t) - -logging_send_syslog_msg(ypxfr_t) - -miscfiles_read_localization(ypxfr_t) - -sysnet_read_config(ypxfr_t) diff --git a/policy/modules/services/nscd.fc b/policy/modules/services/nscd.fc deleted file mode 100644 index 623b73123..000000000 --- a/policy/modules/services/nscd.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - -/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - -/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - -/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - -/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) -/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) - -/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if deleted file mode 100644 index 85188dc77..000000000 --- a/policy/modules/services/nscd.if +++ /dev/null @@ -1,291 +0,0 @@ -## Name service cache daemon - -######################################## -## -## Send generic signals to NSCD. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_signal',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signal; -') - -######################################## -## -## Send NSCD the kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_kill',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process sigkill; -') - -######################################## -## -## Send signulls to NSCD. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_signull',` - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signull; -') - -######################################## -## -## Execute NSCD in the nscd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nscd_domtrans',` - gen_require(` - type nscd_t, nscd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nscd_exec_t, nscd_t) -') - -######################################## -## -## Allow the specified domain to execute nscd -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_exec',` - gen_require(` - type nscd_exec_t; - ') - - can_exec($1, nscd_exec_t) -') - -######################################## -## -## Use NSCD services by connecting using -## a unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_socket_use',` - gen_require(` - type nscd_t, nscd_var_run_t; - class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') - - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file { getattr read }; -') - -######################################## -## -## Use NSCD services by mapping the database from -## an inherited NSCD file descriptor. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_shm_use',` - gen_require(` - type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - ') - - allow $1 nscd_var_run_t:dir list_dir_perms; - allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; - - # Receive fd from nscd and map the backing file with read access. - allow $1 nscd_t:fd use; - - # cjp: these were originally inherited from the - # nscd_socket_domain macro. need to investigate - # if they are all actually required - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 nscd_t:unix_stream_socket connectto; - allow $1 nscd_var_run_t:sock_file rw_file_perms; - files_search_pids($1) - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_var_run_t:file { getattr read }; -') - -######################################## -## -## Do not audit attempts to search the NSCD pid directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`nscd_dontaudit_search_pid',` - gen_require(` - type nscd_var_run_t; - ') - - dontaudit $1 nscd_var_run_t:dir search; -') - -######################################## -## -## Read NSCD pid file. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_read_pid',` - gen_require(` - type nscd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) -') - -######################################## -## -## Unconfined access to NSCD services. -## -## -## -## Domain allowed access. -## -## -# -interface(`nscd_unconfined',` - gen_require(` - type nscd_t; - class nscd all_nscd_perms; - ') - - allow $1 nscd_t:nscd *; -') - -######################################## -## -## Execute nscd in the nscd domain, and -## allow the specified role the nscd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`nscd_run',` - gen_require(` - type nscd_t; - ') - - nscd_domtrans($1) - role $2 types nscd_t; -') - -######################################## -## -## Execute the nscd server init script. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nscd_initrc_domtrans',` - gen_require(` - type nscd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an nscd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the nscd domain. -## -## -## -# -interface(`nscd_admin',` - gen_require(` - type nscd_t, nscd_log_t, nscd_var_run_t; - type nscd_initrc_exec_t; - ') - - allow $1 nscd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nscd_t) - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nscd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, nscd_log_t) - - files_list_pids($1) - admin_pattern($1, nscd_var_run_t) -') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te deleted file mode 100644 index 7936e09ce..000000000 --- a/policy/modules/services/nscd.te +++ /dev/null @@ -1,129 +0,0 @@ -policy_module(nscd, 1.10.0) - -gen_require(` - class nscd all_nscd_perms; -') - -######################################## -# -# Declarations -# - -# cjp: this is out of order because of an -# ordering problem with loadable modules -type nscd_var_run_t; -files_pid_file(nscd_var_run_t) - -# nscd is both the client program and the daemon. -type nscd_t; -type nscd_exec_t; -init_daemon_domain(nscd_t, nscd_exec_t) - -type nscd_initrc_exec_t; -init_script_file(nscd_initrc_exec_t) - -type nscd_log_t; -logging_log_file(nscd_log_t) - -######################################## -# -# Local policy -# - -allow nscd_t self:capability { kill setgid setuid }; -dontaudit nscd_t self:capability sys_tty_config; -allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; -allow nscd_t self:fifo_file read_fifo_file_perms; -allow nscd_t self:unix_stream_socket create_stream_socket_perms; -allow nscd_t self:unix_dgram_socket create_socket_perms; -allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:tcp_socket create_socket_perms; -allow nscd_t self:udp_socket create_socket_perms; - -# For client program operation, invoked from sysadm_t. -# Transition occurs to nscd_t due to direct_sysadm_daemon. -allow nscd_t self:nscd { admin getstat }; - -allow nscd_t nscd_log_t:file manage_file_perms; -logging_log_filetrans(nscd_t, nscd_log_t, file) - -manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) - -corecmd_search_bin(nscd_t) -can_exec(nscd_t, nscd_exec_t) - -kernel_read_kernel_sysctls(nscd_t) -kernel_list_proc(nscd_t) -kernel_read_proc_symlinks(nscd_t) - -dev_read_sysfs(nscd_t) -dev_read_rand(nscd_t) -dev_read_urand(nscd_t) - -fs_getattr_all_fs(nscd_t) -fs_search_auto_mountpoints(nscd_t) -fs_list_inotifyfs(nscd_t) - -# for when /etc/passwd has just been updated and has the wrong type -auth_getattr_shadow(nscd_t) -auth_use_nsswitch(nscd_t) - -corenet_all_recvfrom_unlabeled(nscd_t) -corenet_all_recvfrom_netlabel(nscd_t) -corenet_tcp_sendrecv_generic_if(nscd_t) -corenet_udp_sendrecv_generic_if(nscd_t) -corenet_tcp_sendrecv_generic_node(nscd_t) -corenet_udp_sendrecv_generic_node(nscd_t) -corenet_tcp_sendrecv_all_ports(nscd_t) -corenet_udp_sendrecv_all_ports(nscd_t) -corenet_udp_bind_generic_node(nscd_t) -corenet_tcp_connect_all_ports(nscd_t) -corenet_sendrecv_all_client_packets(nscd_t) -corenet_rw_tun_tap_dev(nscd_t) - -selinux_get_fs_mount(nscd_t) -selinux_validate_context(nscd_t) -selinux_compute_access_vector(nscd_t) -selinux_compute_create_context(nscd_t) -selinux_compute_relabel_context(nscd_t) -selinux_compute_user_contexts(nscd_t) -domain_use_interactive_fds(nscd_t) - -files_read_etc_files(nscd_t) -files_read_generic_tmp_symlinks(nscd_t) -# Needed to read files created by firstboot "/etc/hesiod.conf" -files_read_etc_runtime_files(nscd_t) - -logging_send_audit_msgs(nscd_t) -logging_send_syslog_msg(nscd_t) - -miscfiles_read_localization(nscd_t) - -seutil_read_config(nscd_t) -seutil_read_default_contexts(nscd_t) -seutil_sigchld_newrole(nscd_t) - -sysnet_read_config(nscd_t) - -userdom_dontaudit_use_user_terminals(nscd_t) -userdom_dontaudit_use_unpriv_user_fds(nscd_t) -userdom_dontaudit_search_user_home_dirs(nscd_t) - -optional_policy(` - cron_read_system_job_tmp_files(nscd_t) -') - -optional_policy(` - kerberos_use(nscd_t) -') - -optional_policy(` - udev_read_db(nscd_t) -') - -optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) -') diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc deleted file mode 100644 index 53cc8004d..000000000 --- a/policy/modules/services/nsd.fc +++ /dev/null @@ -1,14 +0,0 @@ - -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) -/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) - -/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) - -/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/policy/modules/services/nsd.if b/policy/modules/services/nsd.if deleted file mode 100644 index a1371d539..000000000 --- a/policy/modules/services/nsd.if +++ /dev/null @@ -1,29 +0,0 @@ -## Authoritative only name server - -######################################## -## -## Send and receive datagrams from NSD. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nsd_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to NSD over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`nsd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te deleted file mode 100644 index 4b15536ca..000000000 --- a/policy/modules/services/nsd.te +++ /dev/null @@ -1,180 +0,0 @@ -policy_module(nsd, 1.7.0) - -######################################## -# -# Declarations -# - -type nsd_t; -type nsd_exec_t; -init_daemon_domain(nsd_t, nsd_exec_t) - -# A type for configuration files of nsd -type nsd_conf_t; -files_type(nsd_conf_t) - -type nsd_crond_t; -domain_type(nsd_crond_t) -domain_entry_file(nsd_crond_t, nsd_exec_t) -role system_r types nsd_crond_t; - -# a type for nsd.db -type nsd_db_t; -files_type(nsd_db_t) - -type nsd_var_run_t; -files_pid_file(nsd_var_run_t) - -# A type for zone files -type nsd_zone_t; -files_type(nsd_zone_t) - -######################################## -# -# NSD Local policy -# - -allow nsd_t self:capability { dac_override chown setuid setgid }; -dontaudit nsd_t self:capability sys_tty_config; -allow nsd_t self:process signal_perms; -allow nsd_t self:tcp_socket create_stream_socket_perms; -allow nsd_t self:udp_socket create_socket_perms; - -allow nsd_t nsd_conf_t:dir list_dir_perms; -read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) -read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) - -allow nsd_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) - -manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) -files_pid_filetrans(nsd_t, nsd_var_run_t, file) - -allow nsd_t nsd_zone_t:dir list_dir_perms; -read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) - -can_exec(nsd_t, nsd_exec_t) - -kernel_read_system_state(nsd_t) -kernel_read_kernel_sysctls(nsd_t) - -corecmd_exec_bin(nsd_t) - -corenet_all_recvfrom_unlabeled(nsd_t) -corenet_all_recvfrom_netlabel(nsd_t) -corenet_tcp_sendrecv_generic_if(nsd_t) -corenet_udp_sendrecv_generic_if(nsd_t) -corenet_tcp_sendrecv_generic_node(nsd_t) -corenet_udp_sendrecv_generic_node(nsd_t) -corenet_tcp_sendrecv_all_ports(nsd_t) -corenet_udp_sendrecv_all_ports(nsd_t) -corenet_tcp_bind_generic_node(nsd_t) -corenet_udp_bind_generic_node(nsd_t) -corenet_tcp_bind_dns_port(nsd_t) -corenet_udp_bind_dns_port(nsd_t) -corenet_sendrecv_dns_server_packets(nsd_t) - -dev_read_sysfs(nsd_t) - -domain_use_interactive_fds(nsd_t) - -files_read_etc_files(nsd_t) -files_read_etc_runtime_files(nsd_t) - -fs_getattr_all_fs(nsd_t) -fs_search_auto_mountpoints(nsd_t) - -logging_send_syslog_msg(nsd_t) - -miscfiles_read_localization(nsd_t) - -sysnet_read_config(nsd_t) - -userdom_dontaudit_use_unpriv_user_fds(nsd_t) -userdom_dontaudit_search_user_home_dirs(nsd_t) - -optional_policy(` - nis_use_ypbind(nsd_t) -') - -optional_policy(` - seutil_sigchld_newrole(nsd_t) -') - -optional_policy(` - udev_read_db(nsd_t) -') - -######################################## -# -# Zone update cron job local policy -# - -# kill capability for root cron job and non-root daemon -allow nsd_crond_t self:capability { dac_override kill }; -dontaudit nsd_crond_t self:capability sys_nice; -allow nsd_crond_t self:process { setsched signal_perms }; -allow nsd_crond_t self:fifo_file rw_fifo_file_perms; -allow nsd_crond_t self:tcp_socket create_socket_perms; -allow nsd_crond_t self:udp_socket create_socket_perms; - -allow nsd_crond_t nsd_conf_t:file read_file_perms; - -allow nsd_crond_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) -files_search_var_lib(nsd_crond_t) - -allow nsd_crond_t nsd_t:process signal; - -ps_process_pattern(nsd_crond_t, nsd_t) - -manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) -filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) - -can_exec(nsd_crond_t, nsd_exec_t) - -kernel_read_system_state(nsd_crond_t) - -corecmd_exec_bin(nsd_crond_t) -corecmd_exec_shell(nsd_crond_t) - -corenet_all_recvfrom_unlabeled(nsd_crond_t) -corenet_all_recvfrom_netlabel(nsd_crond_t) -corenet_tcp_sendrecv_generic_if(nsd_crond_t) -corenet_udp_sendrecv_generic_if(nsd_crond_t) -corenet_tcp_sendrecv_generic_node(nsd_crond_t) -corenet_udp_sendrecv_generic_node(nsd_crond_t) -corenet_tcp_sendrecv_all_ports(nsd_crond_t) -corenet_udp_sendrecv_all_ports(nsd_crond_t) -corenet_tcp_connect_all_ports(nsd_crond_t) -corenet_sendrecv_all_client_packets(nsd_crond_t) - -# for SSP -dev_read_urand(nsd_crond_t) - -domain_dontaudit_read_all_domains_state(nsd_crond_t) - -files_read_etc_files(nsd_crond_t) -files_read_etc_runtime_files(nsd_crond_t) -files_search_var_lib(nsd_t) - -logging_send_syslog_msg(nsd_crond_t) - -miscfiles_read_localization(nsd_crond_t) - -sysnet_read_config(nsd_crond_t) - -userdom_dontaudit_search_user_home_dirs(nsd_crond_t) - -optional_policy(` - cron_system_entry(nsd_crond_t, nsd_exec_t) -') - -optional_policy(` - nis_use_ypbind(nsd_crond_t) -') - -optional_policy(` - nscd_read_pid(nsd_crond_t) -') diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc deleted file mode 100644 index ce913b244..000000000 --- a/policy/modules/services/nslcd.fc +++ /dev/null @@ -1,4 +0,0 @@ -/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) -/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) -/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) -/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if deleted file mode 100644 index 23c769cf4..000000000 --- a/policy/modules/services/nslcd.if +++ /dev/null @@ -1,114 +0,0 @@ -## nslcd - local LDAP name service daemon. - -######################################## -## -## Execute a domain transition to run nslcd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nslcd_domtrans',` - gen_require(` - type nslcd_t, nslcd_exec_t; - ') - - domtrans_pattern($1, nslcd_exec_t, nslcd_t) -') - -######################################## -## -## Execute nslcd server in the nslcd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nslcd_initrc_domtrans',` - gen_require(` - type nslcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nslcd_initrc_exec_t) -') - -######################################## -## -## Read nslcd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`nslcd_read_pid_files',` - gen_require(` - type nslcd_var_run_t; - ') - - files_search_pids($1) - allow $1 nslcd_var_run_t:file read_file_perms; -') - -######################################## -## -## Connect to nslcd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`nslcd_stream_connect',` - gen_require(` - type nslcd_t, nslcd_var_run_t; - ') - - stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) - files_search_pids($1) -') - -######################################## -## -## All of the rules required to administrate -## an nslcd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`nslcd_admin',` - gen_require(` - type nslcd_t, nslcd_initrc_exec_t; - type nslcd_conf_t, nslcd_var_run_t; - ') - - ps_process_pattern($1, nslcd_t) - allow $1 nslcd_t:process { ptrace signal_perms }; - - # Allow nslcd_t to restart the apache service - nslcd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 nslcd_initrc_exec_t system_r; - allow $2 system_r; - - manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) - - manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) -') diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te deleted file mode 100644 index 4e28d5825..000000000 --- a/policy/modules/services/nslcd.te +++ /dev/null @@ -1,45 +0,0 @@ -policy_module(nslcd, 1.2.0) - -######################################## -# -# Declarations -# - -type nslcd_t; -type nslcd_exec_t; -init_daemon_domain(nslcd_t, nslcd_exec_t) - -type nslcd_initrc_exec_t; -init_script_file(nslcd_initrc_exec_t) - -type nslcd_var_run_t; -files_pid_file(nslcd_var_run_t) - -type nslcd_conf_t; -files_type(nslcd_conf_t) - -######################################## -# -# nslcd local policy -# - -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket create_stream_socket_perms; - -allow nslcd_t nslcd_conf_t:file read_file_perms; - -manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) - -kernel_read_system_state(nslcd_t) - -files_read_etc_files(nslcd_t) - -auth_use_nsswitch(nslcd_t) - -logging_send_syslog_msg(nslcd_t) - -miscfiles_read_localization(nslcd_t) diff --git a/policy/modules/services/ntop.fc b/policy/modules/services/ntop.fc deleted file mode 100644 index 183843241..000000000 --- a/policy/modules/services/ntop.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) - -/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) - -/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) -/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff --git a/policy/modules/services/ntop.if b/policy/modules/services/ntop.if deleted file mode 100644 index 4bf0a141b..000000000 --- a/policy/modules/services/ntop.if +++ /dev/null @@ -1 +0,0 @@ -## Network Top diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te deleted file mode 100644 index ded9fb67a..000000000 --- a/policy/modules/services/ntop.te +++ /dev/null @@ -1,114 +0,0 @@ -policy_module(ntop, 1.9.0) - -######################################## -# -# Declarations -# - -type ntop_t; -type ntop_exec_t; -init_daemon_domain(ntop_t, ntop_exec_t) -application_domain(ntop_t, ntop_exec_t) - -type ntop_initrc_exec_t; -init_script_file(ntop_initrc_exec_t) - -type ntop_etc_t; -files_config_file(ntop_etc_t) - -type ntop_tmp_t; -files_tmp_file(ntop_tmp_t) - -type ntop_var_lib_t; -files_type(ntop_var_lib_t) - -type ntop_var_run_t; -files_pid_file(ntop_var_run_t) - -######################################## -# -# Local Policy -# - -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; -dontaudit ntop_t self:capability sys_tty_config; -allow ntop_t self:process signal_perms; -allow ntop_t self:fifo_file rw_fifo_file_perms; -allow ntop_t self:tcp_socket create_stream_socket_perms; -allow ntop_t self:udp_socket create_socket_perms; -allow ntop_t self:unix_dgram_socket create_socket_perms; -allow ntop_t self:unix_stream_socket create_stream_socket_perms; -allow ntop_t self:packet_socket create_socket_perms; -allow ntop_t self:socket create_socket_perms; - -allow ntop_t ntop_etc_t:dir list_dir_perms; -read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) -read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) - -manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) -manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) -files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) - -manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) -manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) -files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } ) - -manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) -files_pid_filetrans(ntop_t, ntop_var_run_t, file) - -kernel_request_load_module(ntop_t) -kernel_read_system_state(ntop_t) -kernel_read_network_state(ntop_t) -kernel_read_kernel_sysctls(ntop_t) -kernel_list_proc(ntop_t) -kernel_read_proc_symlinks(ntop_t) - -corenet_all_recvfrom_unlabeled(ntop_t) -corenet_all_recvfrom_netlabel(ntop_t) -corenet_tcp_sendrecv_generic_if(ntop_t) -corenet_udp_sendrecv_generic_if(ntop_t) -corenet_raw_sendrecv_generic_if(ntop_t) -corenet_tcp_sendrecv_generic_node(ntop_t) -corenet_udp_sendrecv_generic_node(ntop_t) -corenet_raw_sendrecv_generic_node(ntop_t) -corenet_tcp_sendrecv_all_ports(ntop_t) -corenet_udp_sendrecv_all_ports(ntop_t) -corenet_tcp_bind_ntop_port(ntop_t) -corenet_tcp_connect_ntop_port(ntop_t) -corenet_tcp_connect_http_port(ntop_t) -corenet_sendrecv_http_client_packets(ntop_t) -corenet_sendrecv_ntop_client_packets(ntop_t) -corenet_sendrecv_ntop_server_packets(ntop_t) - -dev_read_sysfs(ntop_t) -dev_rw_generic_usb_dev(ntop_t) - -domain_use_interactive_fds(ntop_t) - -files_read_etc_files(ntop_t) -files_read_usr_files(ntop_t) - -fs_getattr_all_fs(ntop_t) -fs_search_auto_mountpoints(ntop_t) - -auth_use_nsswitch(ntop_t) - -logging_send_syslog_msg(ntop_t) - -miscfiles_read_localization(ntop_t) -miscfiles_read_fonts(ntop_t) - -userdom_dontaudit_use_unpriv_user_fds(ntop_t) -userdom_dontaudit_search_user_home_dirs(ntop_t) - -optional_policy(` - apache_read_sys_content(ntop_t) -') - -optional_policy(` - seutil_sigchld_newrole(ntop_t) -') - -optional_policy(` - udev_read_db(ntop_t) -') diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc deleted file mode 100644 index e79dccce0..000000000 --- a/policy/modules/services/ntp.fc +++ /dev/null @@ -1,22 +0,0 @@ - -/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) -/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) - -/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) -/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) -/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0) - -/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) - -/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) -/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - -/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - -/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) -/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) - -/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if deleted file mode 100644 index e80f8c06a..000000000 --- a/policy/modules/services/ntp.if +++ /dev/null @@ -1,165 +0,0 @@ -## Network time protocol daemon - -######################################## -## -## NTP stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`ntp_stub',` - gen_require(` - type ntpd_t; - ') -') - -######################################## -## -## Execute ntp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ntp_domtrans',` - gen_require(` - type ntpd_t, ntpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpd_exec_t, ntpd_t) -') - -######################################## -## -## Execute ntp in the ntp domain, and -## allow the specified role the ntp domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`ntp_run',` - gen_require(` - type ntpd_t; - ') - - ntp_domtrans($1) - role $2 types ntpd_t; -') - -######################################## -## -## Execute ntp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ntp_domtrans_ntpdate',` - gen_require(` - type ntpd_t, ntpdate_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpdate_exec_t, ntpd_t) -') - -######################################## -## -## Execute ntp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ntp_initrc_domtrans',` - gen_require(` - type ntpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) -') - -######################################## -## -## Read and write ntpd shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`ntp_rw_shm',` - gen_require(` - type ntpd_t, ntpd_tmpfs_t; - ') - - allow $1 ntpd_t:shm rw_shm_perms; - list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - fs_search_tmpfs($1) -') - -######################################## -## -## All of the rules required to administrate -## an ntp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the ntp domain. -## -## -## -# -interface(`ntp_admin',` - gen_require(` - type ntpd_t, ntpd_tmp_t, ntpd_log_t; - type ntpd_key_t, ntpd_var_run_t; - type ntpd_initrc_exec_t; - ') - - allow $1 ntpd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, ntpd_t) - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntpd_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, ntpd_key_t) - - logging_list_logs($1) - admin_pattern($1, ntpd_log_t) - - files_list_tmp($1) - admin_pattern($1, ntpd_tmp_t) - - files_list_pids($1) - admin_pattern($1, ntpd_var_run_t) -') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te deleted file mode 100644 index c61adc8dd..000000000 --- a/policy/modules/services/ntp.te +++ /dev/null @@ -1,156 +0,0 @@ -policy_module(ntp, 1.10.0) - -######################################## -# -# Declarations -# - -type ntp_drift_t; -files_type(ntp_drift_t) - -type ntpd_t; -type ntpd_exec_t; -init_daemon_domain(ntpd_t, ntpd_exec_t) - -type ntpd_initrc_exec_t; -init_script_file(ntpd_initrc_exec_t) - -type ntpd_key_t; -files_type(ntpd_key_t) - -type ntpd_log_t; -logging_log_file(ntpd_log_t) - -type ntpd_tmp_t; -files_tmp_file(ntpd_tmp_t) - -type ntpd_tmpfs_t; -files_tmpfs_file(ntpd_tmpfs_t) - -type ntpd_var_run_t; -files_pid_file(ntpd_var_run_t) - -type ntpdate_exec_t; -init_system_domain(ntpd_t, ntpdate_exec_t) - -######################################## -# -# Local policy -# - -# sys_resource and setrlimit is for locking memory -# ntpdate wants sys_nice -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; -allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; -allow ntpd_t self:fifo_file rw_fifo_file_perms; -allow ntpd_t self:shm create_shm_perms; -allow ntpd_t self:unix_dgram_socket create_socket_perms; -allow ntpd_t self:unix_stream_socket create_socket_perms; -allow ntpd_t self:tcp_socket create_stream_socket_perms; -allow ntpd_t self:udp_socket create_socket_perms; - -manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) - -can_exec(ntpd_t, ntpd_exec_t) - -read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) -read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - -allow ntpd_t ntpd_log_t:dir setattr; -manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) - -# for some reason it creates a file in /tmp -manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) - -manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) - -manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) -files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) - -kernel_read_kernel_sysctls(ntpd_t) -kernel_read_system_state(ntpd_t) -kernel_read_network_state(ntpd_t) -kernel_request_load_module(ntpd_t) - -corenet_all_recvfrom_unlabeled(ntpd_t) -corenet_all_recvfrom_netlabel(ntpd_t) -corenet_tcp_sendrecv_generic_if(ntpd_t) -corenet_udp_sendrecv_generic_if(ntpd_t) -corenet_tcp_sendrecv_generic_node(ntpd_t) -corenet_udp_sendrecv_generic_node(ntpd_t) -corenet_tcp_sendrecv_all_ports(ntpd_t) -corenet_udp_sendrecv_all_ports(ntpd_t) -corenet_tcp_bind_generic_node(ntpd_t) -corenet_udp_bind_generic_node(ntpd_t) -corenet_udp_bind_ntp_port(ntpd_t) -corenet_tcp_connect_ntp_port(ntpd_t) -corenet_sendrecv_ntp_server_packets(ntpd_t) -corenet_sendrecv_ntp_client_packets(ntpd_t) - -dev_read_sysfs(ntpd_t) -# for SSP -dev_read_urand(ntpd_t) - -fs_getattr_all_fs(ntpd_t) -fs_search_auto_mountpoints(ntpd_t) - -term_use_ptmx(ntpd_t) - -auth_use_nsswitch(ntpd_t) - -corecmd_exec_bin(ntpd_t) -corecmd_exec_shell(ntpd_t) - -domain_use_interactive_fds(ntpd_t) -domain_dontaudit_list_all_domains_state(ntpd_t) - -files_read_etc_files(ntpd_t) -files_read_etc_runtime_files(ntpd_t) -files_read_usr_files(ntpd_t) -files_list_var_lib(ntpd_t) - -init_exec_script_files(ntpd_t) - -logging_send_syslog_msg(ntpd_t) - -miscfiles_read_localization(ntpd_t) - -userdom_dontaudit_use_unpriv_user_fds(ntpd_t) -userdom_list_user_home_dirs(ntpd_t) - -optional_policy(` - # for cron jobs - cron_system_entry(ntpd_t, ntpdate_exec_t) -') - -optional_policy(` - gpsd_rw_shm(ntpd_t) -') - -optional_policy(` - firstboot_dontaudit_use_fds(ntpd_t) - firstboot_dontaudit_rw_pipes(ntpd_t) - firstboot_dontaudit_rw_stream_sockets(ntpd_t) -') - -optional_policy(` - hal_dontaudit_write_log(ntpd_t) -') - -optional_policy(` - logrotate_exec(ntpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(ntpd_t) -') - -optional_policy(` - udev_read_db(ntpd_t) -') diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc deleted file mode 100644 index 0a929ef4b..000000000 --- a/policy/modules/services/nut.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) - -/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) - -/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) -/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - -/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) - -/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/policy/modules/services/nut.if b/policy/modules/services/nut.if deleted file mode 100644 index 56660c514..000000000 --- a/policy/modules/services/nut.if +++ /dev/null @@ -1 +0,0 @@ -## nut - Network UPS Tools diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te deleted file mode 100644 index ff962dd0c..000000000 --- a/policy/modules/services/nut.te +++ /dev/null @@ -1,171 +0,0 @@ -policy_module(nut, 1.2.0) - -######################################## -# -# Declarations -# - -type nut_conf_t; -files_config_file(nut_conf_t) - -type nut_upsd_t; -type nut_upsd_exec_t; -init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) - -type nut_upsmon_t; -type nut_upsmon_exec_t; -init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) - -type nut_upsdrvctl_t; -type nut_upsdrvctl_exec_t; -init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) - -type nut_var_run_t; -files_pid_file(nut_var_run_t) - -######################################## -# -# Local policy for upsd -# - -allow nut_upsd_t self:capability { setgid setuid dac_override }; - -allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; - -allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; - -read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) - -# pid file -manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(nut_upsd_t) - -corenet_tcp_bind_ups_port(nut_upsd_t) -corenet_tcp_bind_generic_port(nut_upsd_t) -corenet_tcp_bind_all_nodes(nut_upsd_t) - -files_read_usr_files(nut_upsd_t) - -auth_use_nsswitch(nut_upsd_t) - -logging_send_syslog_msg(nut_upsd_t) - -miscfiles_read_localization(nut_upsd_t) - -######################################## -# -# Local policy for upsmon -# - -allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; -allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; -allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; -allow nut_upsmon_t self:tcp_socket create_socket_perms; - -read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) - -# pid file -manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) - -kernel_read_kernel_sysctls(nut_upsmon_t) -kernel_read_system_state(nut_upsmon_t) - -corecmd_exec_bin(nut_upsmon_t) -corecmd_exec_shell(nut_upsmon_t) - -corenet_tcp_connect_ups_port(nut_upsmon_t) -corenet_tcp_connect_generic_port(nut_upsmon_t) - -# Creates /etc/killpower -files_manage_etc_runtime_files(nut_upsmon_t) -files_etc_filetrans_etc_runtime(nut_upsmon_t, file) -files_search_usr(nut_upsmon_t) - -# /usr/bin/wall -term_write_all_terms(nut_upsmon_t) - -# upsmon runs shutdown, probably need a shutdown domain -init_rw_utmp(nut_upsmon_t) -init_telinit(nut_upsmon_t) - -logging_send_syslog_msg(nut_upsmon_t) - -auth_use_nsswitch(nut_upsmon_t) - -miscfiles_read_localization(nut_upsmon_t) - -mta_send_mail(nut_upsmon_t) - -optional_policy(` - shutdown_domtrans(nut_upsmon_t) -') - -######################################## -# -# Local policy for upsdrvctl -# - -allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; -allow nut_upsdrvctl_t self:process { sigchld signal signull }; -allow nut_upsdrvctl_t self:fd use; -allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; -allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nut_upsdrvctl_t self:udp_socket create_socket_perms; - -read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) - -# pid file -manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(nut_upsdrvctl_t) - -# /sbin/upsdrvctl executes other drivers -corecmd_exec_bin(nut_upsdrvctl_t) - -dev_read_urand(nut_upsdrvctl_t) -dev_rw_generic_usb_dev(nut_upsdrvctl_t) - -term_use_unallocated_ttys(nut_upsdrvctl_t) - -auth_use_nsswitch(nut_upsdrvctl_t) - -init_sigchld(nut_upsdrvctl_t) - -logging_send_syslog_msg(nut_upsdrvctl_t) - -miscfiles_read_localization(nut_upsdrvctl_t) - -####################################### -# -# Local policy for upscgi scripts -# requires httpd_enable_cgi and httpd_can_network_connect -# - -optional_policy(` - apache_content_template(nutups_cgi) - - read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) - - corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) - corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) - corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) - corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) - corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) - - sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) -') diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc deleted file mode 100644 index c4d2dca83..000000000 --- a/policy/modules/services/nx.fc +++ /dev/null @@ -1,12 +0,0 @@ -/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) -/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) - -/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) - -/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) -/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if deleted file mode 100644 index 79a225ca0..000000000 --- a/policy/modules/services/nx.if +++ /dev/null @@ -1,85 +0,0 @@ -## NX remote desktop - -######################################## -## -## Transition to NX server. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`nx_spec_domtrans_server',` - gen_require(` - type nx_server_t, nx_server_exec_t; - ') - - spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) -') - -######################################## -## -## Read nx home directory content -## -## -## -## Domain allowed access. -## -## -# -interface(`nx_read_home_files',` - gen_require(` - type nx_server_home_ssh_t, nx_server_var_lib_t; - ') - - allow $1 nx_server_var_lib_t:dir search_dir_perms; - read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) -') - -######################################## -## -## Read nx /var/lib content -## -## -## -## Domain allowed access. -## -## -# -interface(`nx_search_var_lib',` - gen_require(` - type nx_server_var_lib_t; - ') - - allow $1 nx_server_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## Create an object in the root directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`nx_var_lib_filetrans',` - gen_require(` - type nx_server_var_lib_t; - ') - - filetrans_pattern($1, nx_server_var_lib_t, $2, $3) -') diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te deleted file mode 100644 index 58e2972f4..000000000 --- a/policy/modules/services/nx.te +++ /dev/null @@ -1,98 +0,0 @@ -policy_module(nx, 1.6.0) - -######################################## -# -# Declarations -# - -type nx_server_t; -type nx_server_exec_t; -domain_type(nx_server_t) -domain_entry_file(nx_server_t, nx_server_exec_t) -domain_user_exemption_target(nx_server_t) -# we need an extra role because nxserver is called from sshd -# cjp: do we really need this? -role nx_server_r; -role nx_server_r types nx_server_t; -allow system_r nx_server_r; - -type nx_server_devpts_t; -term_user_pty(nx_server_t, nx_server_devpts_t) - -type nx_server_tmp_t; -files_tmp_file(nx_server_tmp_t) - -type nx_server_var_lib_t; -files_type(nx_server_var_lib_t) - -type nx_server_var_run_t; -files_pid_file(nx_server_var_run_t) - -######################################## -# -# NX server local policy -# - -allow nx_server_t self:fifo_file rw_fifo_file_perms; -allow nx_server_t self:tcp_socket create_socket_perms; -allow nx_server_t self:udp_socket create_socket_perms; - -allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(nx_server_t, nx_server_devpts_t) - -manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) -manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) -files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) - -manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) -manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) -files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) - -manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) -files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) - -kernel_read_system_state(nx_server_t) -kernel_read_kernel_sysctls(nx_server_t) - -# nxserver is a shell script --> call other programs -corecmd_exec_shell(nx_server_t) -corecmd_exec_bin(nx_server_t) - -corenet_all_recvfrom_unlabeled(nx_server_t) -corenet_all_recvfrom_netlabel(nx_server_t) -corenet_tcp_sendrecv_generic_if(nx_server_t) -corenet_udp_sendrecv_generic_if(nx_server_t) -corenet_tcp_sendrecv_generic_node(nx_server_t) -corenet_udp_sendrecv_generic_node(nx_server_t) -corenet_tcp_sendrecv_all_ports(nx_server_t) -corenet_udp_sendrecv_all_ports(nx_server_t) -corenet_tcp_connect_all_ports(nx_server_t) -corenet_sendrecv_all_client_packets(nx_server_t) - -dev_read_urand(nx_server_t) - -files_read_etc_files(nx_server_t) -files_read_etc_runtime_files(nx_server_t) -# for reading the config files; maybe a separate type, -# but users need to be able to also read the config -files_read_usr_files(nx_server_t) - -miscfiles_read_localization(nx_server_t) - -seutil_dontaudit_search_config(nx_server_t) - -sysnet_read_config(nx_server_t) - -ifdef(`TODO',` -# clients already have create permissions; the nxclient wants to also have unlink rights -allow userdomain xdm_tmp_t:sock_file unlink; -# for a lockfile created by the client process -allow nx_server_t user_tmpfile:file getattr; -') - -######################################## -# -# SSH component local policy -# - -ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) diff --git a/policy/modules/services/oav.fc b/policy/modules/services/oav.fc deleted file mode 100644 index 0a6647451..000000000 --- a/policy/modules/services/oav.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0) -/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0) - -/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0) -/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0) - -/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0) -/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0) -/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if deleted file mode 100644 index 7f0d64447..000000000 --- a/policy/modules/services/oav.if +++ /dev/null @@ -1,46 +0,0 @@ -## Open AntiVirus scannerdaemon and signature update - -######################################## -## -## Execute oav_update in the oav_update domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`oav_domtrans_update',` - gen_require(` - type oav_update_t, oav_update_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oav_update_exec_t, oav_update_t) -') - -######################################## -## -## Execute oav_update in the oav_update domain, and -## allow the specified role the oav_update domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`oav_run_update',` - gen_require(` - type oav_update_t; - ') - - oav_domtrans_update($1) - role $2 types oav_update_t; -') diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te deleted file mode 100644 index b4c5f8633..000000000 --- a/policy/modules/services/oav.te +++ /dev/null @@ -1,146 +0,0 @@ -policy_module(oav, 1.9.0) - -######################################## -# -# Declarations -# - -type oav_update_t; -type oav_update_exec_t; -application_domain(oav_update_t, oav_update_exec_t) - -# cjp: may be collapsable to etc_t -type oav_update_etc_t; -files_config_file(oav_update_etc_t) - -type oav_update_var_lib_t; -files_type(oav_update_var_lib_t) - -type scannerdaemon_t; -type scannerdaemon_exec_t; -init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t) - -type scannerdaemon_etc_t; -files_config_file(scannerdaemon_etc_t) - -type scannerdaemon_log_t; -logging_log_file(scannerdaemon_log_t) - -type scannerdaemon_var_run_t; -files_pid_file(scannerdaemon_var_run_t) - -######################################## -# -# OAV update local policy -# - -allow oav_update_t self:tcp_socket create_stream_socket_perms; -allow oav_update_t self:udp_socket create_socket_perms; - -# Can read /etc/oav-update/* files -allow oav_update_t oav_update_etc_t:dir list_dir_perms; -allow oav_update_t oav_update_etc_t:file read_file_perms; - -# Can read /var/lib/oav-update/current -manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) -manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) -read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) - -corecmd_exec_all_executables(oav_update_t) - -corenet_all_recvfrom_unlabeled(oav_update_t) -corenet_all_recvfrom_netlabel(oav_update_t) -corenet_tcp_sendrecv_generic_if(oav_update_t) -corenet_udp_sendrecv_generic_if(oav_update_t) -corenet_tcp_sendrecv_generic_node(oav_update_t) -corenet_udp_sendrecv_generic_node(oav_update_t) -corenet_tcp_sendrecv_all_ports(oav_update_t) -corenet_udp_sendrecv_all_ports(oav_update_t) - -files_exec_etc_files(oav_update_t) - -libs_exec_ld_so(oav_update_t) -libs_exec_lib_files(oav_update_t) - -logging_send_syslog_msg(oav_update_t) - -sysnet_read_config(oav_update_t) - -userdom_use_user_terminals(oav_update_t) - -optional_policy(` - cron_system_entry(oav_update_t, oav_update_exec_t) -') - -######################################## -# -# Scannerdaemon local policy -# - -dontaudit scannerdaemon_t self:capability sys_tty_config; -allow scannerdaemon_t self:process signal_perms; -allow scannerdaemon_t self:fifo_file rw_fifo_file_perms; -allow scannerdaemon_t self:tcp_socket create_stream_socket_perms; -allow scannerdaemon_t self:udp_socket create_socket_perms; - -allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms; -allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms; -files_search_var_lib(scannerdaemon_t) - -allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms; - -allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms; -logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file) - -manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t) -files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file) - -kernel_read_system_state(scannerdaemon_t) -kernel_read_kernel_sysctls(scannerdaemon_t) - -# Can run kaffe -corecmd_exec_all_executables(scannerdaemon_t) - -corenet_all_recvfrom_unlabeled(scannerdaemon_t) -corenet_all_recvfrom_netlabel(scannerdaemon_t) -corenet_tcp_sendrecv_generic_if(scannerdaemon_t) -corenet_udp_sendrecv_generic_if(scannerdaemon_t) -corenet_tcp_sendrecv_generic_node(scannerdaemon_t) -corenet_udp_sendrecv_generic_node(scannerdaemon_t) -corenet_tcp_sendrecv_all_ports(scannerdaemon_t) -corenet_udp_sendrecv_all_ports(scannerdaemon_t) - -dev_read_sysfs(scannerdaemon_t) - -domain_use_interactive_fds(scannerdaemon_t) - -files_read_etc_files(scannerdaemon_t) -files_read_etc_runtime_files(scannerdaemon_t) -# Can run kaffe -files_exec_etc_files(scannerdaemon_t) - -fs_getattr_all_fs(scannerdaemon_t) -fs_search_auto_mountpoints(scannerdaemon_t) - -auth_dontaudit_read_shadow(scannerdaemon_t) - -# Can run kaffe -libs_exec_ld_so(scannerdaemon_t) -libs_exec_lib_files(scannerdaemon_t) - -logging_send_syslog_msg(scannerdaemon_t) - -miscfiles_read_localization(scannerdaemon_t) - -sysnet_read_config(scannerdaemon_t) - -userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t) -userdom_dontaudit_search_user_home_dirs(scannerdaemon_t) - -optional_policy(` - seutil_sigchld_newrole(scannerdaemon_t) -') - -optional_policy(` - udev_read_db(scannerdaemon_t) -') diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc deleted file mode 100644 index bdf8c8931..000000000 --- a/policy/modules/services/oddjob.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - -/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) - -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if deleted file mode 100644 index bd76ec263..000000000 --- a/policy/modules/services/oddjob.if +++ /dev/null @@ -1,111 +0,0 @@ -## -## Oddjob provides a mechanism by which unprivileged applications can -## request that specified privileged operations be performed on their -## behalf. -## - -######################################## -## -## Execute a domain transition to run oddjob. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`oddjob_domtrans',` - gen_require(` - type oddjob_t, oddjob_exec_t; - ') - - domtrans_pattern($1, oddjob_exec_t, oddjob_t) -') - -######################################## -## -## Make the specified program domain accessable -## from the oddjob. -## -## -## -## The type of the process to transition to. -## -## -## -## -## The type of the file used as an entrypoint to this domain. -## -## -# -interface(`oddjob_system_entry',` - gen_require(` - type oddjob_t; - ') - - domtrans_pattern(oddjob_t, $2, $1) -') - -######################################## -## -## Send and receive messages from -## oddjob over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`oddjob_dbus_chat',` - gen_require(` - type oddjob_t; - class dbus send_msg; - ') - - allow $1 oddjob_t:dbus send_msg; - allow oddjob_t $1:dbus send_msg; -') - -######################################## -## -## Execute a domain transition to run oddjob_mkhomedir. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`oddjob_domtrans_mkhomedir',` - gen_require(` - type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; - ') - - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) -') - -######################################## -## -## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`oddjob_run_mkhomedir',` - gen_require(` - type oddjob_mkhomedir_t; - ') - - oddjob_domtrans_mkhomedir($1) - role $2 types oddjob_mkhomedir_t; -') diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te deleted file mode 100644 index cadfc63da..000000000 --- a/policy/modules/services/oddjob.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(oddjob, 1.7.0) - -######################################## -# -# Declarations -# - -type oddjob_t; -type oddjob_exec_t; -domain_type(oddjob_t) -init_daemon_domain(oddjob_t, oddjob_exec_t) -domain_obj_id_change_exemption(oddjob_t) -domain_role_change_exemption(oddjob_t) -domain_subj_id_change_exemption(oddjob_t) - -type oddjob_mkhomedir_t; -type oddjob_mkhomedir_exec_t; -domain_type(oddjob_mkhomedir_t) -domain_obj_id_change_exemption(oddjob_mkhomedir_t) -init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - -# pid files -type oddjob_var_run_t; -files_pid_file(oddjob_var_run_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) -') - -######################################## -# -# oddjob local policy -# - -allow oddjob_t self:capability setgid; -allow oddjob_t self:process { setexec signal }; -allow oddjob_t self:fifo_file rw_fifo_file_perms; -allow oddjob_t self:unix_stream_socket create_stream_socket_perms; - -manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) - -kernel_read_system_state(oddjob_t) - -corecmd_exec_bin(oddjob_t) -corecmd_exec_shell(oddjob_t) - -mcs_process_set_categories(oddjob_t) - -selinux_compute_create_context(oddjob_t) - -files_read_etc_files(oddjob_t) - -miscfiles_read_localization(oddjob_t) - -locallogin_dontaudit_use_fds(oddjob_t) - -optional_policy(` - dbus_system_bus_client(oddjob_t) - dbus_connect_system_bus(oddjob_t) -') - -optional_policy(` - unconfined_domtrans(oddjob_t) -') - -######################################## -# -# oddjob_mkhomedir local policy -# - -allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -allow oddjob_mkhomedir_t self:process setfscreate; -allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; -allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; - -kernel_read_system_state(oddjob_mkhomedir_t) - -files_read_etc_files(oddjob_mkhomedir_t) - -auth_use_nsswitch(oddjob_mkhomedir_t) - -logging_send_syslog_msg(oddjob_mkhomedir_t) - -miscfiles_read_localization(oddjob_mkhomedir_t) - -selinux_get_fs_mount(oddjob_mkhomedir_t) -selinux_validate_context(oddjob_mkhomedir_t) -selinux_compute_access_vector(oddjob_mkhomedir_t) -selinux_compute_create_context(oddjob_mkhomedir_t) -selinux_compute_relabel_context(oddjob_mkhomedir_t) -selinux_compute_user_contexts(oddjob_mkhomedir_t) - -seutil_read_config(oddjob_mkhomedir_t) -seutil_read_file_contexts(oddjob_mkhomedir_t) -seutil_read_default_contexts(oddjob_mkhomedir_t) - -# Add/remove user home directories -userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content_files(oddjob_mkhomedir_t) -userdom_manage_user_home_dirs(oddjob_mkhomedir_t) -userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) - diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc deleted file mode 100644 index 5840ea879..000000000 --- a/policy/modules/services/oident.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0) - -/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) -/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) - -/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0) - -/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if deleted file mode 100644 index bb4fae514..000000000 --- a/policy/modules/services/oident.if +++ /dev/null @@ -1,68 +0,0 @@ -## SELinux policy for Oident daemon. -## -##

-## Oident daemon is a server that implements the TCP/IP -## standard IDENT user identification protocol as -## specified in the RFC 1413 document. -##

-## - -######################################## -## -## Allow the specified domain to read -## Oidentd personal configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`oident_read_user_content', ` - gen_require(` - type oidentd_home_t; - ') - - allow $1 oidentd_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Allow the specified domain to create, read, write, and delete -## Oidentd personal configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`oident_manage_user_content', ` - gen_require(` - type oidentd_home_t; - ') - - allow $1 oidentd_home_t:file manage_file_perms; - userdom_search_user_home_dirs($1) -') - -######################################## -## -## Allow the specified domain to relabel -## Oidentd personal configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`oident_relabel_user_content', ` - gen_require(` - type oidentd_home_t; - ') - - allow $1 oidentd_home_t:file relabel_file_perms; - userdom_search_user_home_dirs($1) -') diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te deleted file mode 100644 index 8845174ec..000000000 --- a/policy/modules/services/oident.te +++ /dev/null @@ -1,75 +0,0 @@ -policy_module(oident, 2.2.0) - -######################################## -# -# Oident daemon private declarations -# - -type oidentd_t; -type oidentd_exec_t; -init_daemon_domain(oidentd_t, oidentd_exec_t) - -type oidentd_home_t; -typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t }; -typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t }; -userdom_user_home_content(oidentd_home_t) - -type oidentd_initrc_exec_t; -init_script_file(oidentd_initrc_exec_t) - -type oidentd_config_t; -files_config_file(oidentd_config_t) - -######################################## -# -# Oident daemon private policy -# - -allow oidentd_t self:capability { setuid setgid }; -allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read }; -allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen }; -allow oidentd_t self:udp_socket { write read create connect getattr ioctl }; -allow oidentd_t self:unix_dgram_socket { create connect }; - -allow oidentd_t oidentd_config_t:file read_file_perms; - -corenet_all_recvfrom_unlabeled(oidentd_t) -corenet_all_recvfrom_netlabel(oidentd_t) -corenet_tcp_sendrecv_generic_if(oidentd_t) -corenet_tcp_sendrecv_generic_node(oidentd_t) -corenet_tcp_bind_generic_node(oidentd_t) -corenet_tcp_bind_auth_port(oidentd_t) -corenet_sendrecv_auth_server_packets(oidentd_t) - -files_read_etc_files(oidentd_t) - -kernel_read_kernel_sysctls(oidentd_t) -kernel_read_network_state(oidentd_t) -kernel_read_network_state_symlinks(oidentd_t) -kernel_read_sysctl(oidentd_t) -# oidentd requests the tcp_diag kernel module, otherwise -# it will be stuck using the slow /proc/net/tcp interface -kernel_request_load_module(oidentd_t) - -logging_send_syslog_msg(oidentd_t) - -miscfiles_read_localization(oidentd_t) - -sysnet_read_config(oidentd_t) - -oident_read_user_content(oidentd_t) - -optional_policy(` - nis_use_ypbind(oidentd_t) -') - -tunable_policy(`use_samba_home_dirs', ` - fs_list_cifs(oidentd_t) - fs_read_cifs_files(oidentd_t) -') - -tunable_policy(`use_nfs_home_dirs', ` - fs_list_nfs(oidentd_t) - fs_read_nfs_files(oidentd_t) -') diff --git a/policy/modules/services/openca.fc b/policy/modules/services/openca.fc deleted file mode 100644 index 72a2db6d1..000000000 --- a/policy/modules/services/openca.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0) -/etc/openca/.*\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0) -/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0) - -/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0) -/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0) - -/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0) -/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0) diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if deleted file mode 100644 index a8c1eefae..000000000 --- a/policy/modules/services/openca.if +++ /dev/null @@ -1,76 +0,0 @@ -## OpenCA - Open Certificate Authority - -######################################## -## -## Execute the OpenCA program with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`openca_domtrans',` - gen_require(` - type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; - ') - - domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) - allow $1 openca_usr_share_t:dir search_dir_perms; - files_search_usr($1) -') - -######################################## -## -## Send OpenCA generic signals. -## -## -## -## Domain allowed access. -## -## -# -interface(`openca_signal',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process signal; -') - -######################################## -## -## Send OpenCA stop signals. -## -## -## -## Domain allowed access. -## -## -# -interface(`openca_sigstop',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigstop; -') - -######################################## -## -## Kill OpenCA. -## -## -## -## Domain allowed access. -## -## -# -interface(`openca_kill',` - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigkill; -') diff --git a/policy/modules/services/openca.te b/policy/modules/services/openca.te deleted file mode 100644 index 2df8170db..000000000 --- a/policy/modules/services/openca.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(openca, 1.2.0) - -######################################## -# -# Declarations -# - -type openca_ca_t; -type openca_ca_exec_t; -domain_type(openca_ca_t) -domain_entry_file(openca_ca_t, openca_ca_exec_t) -role system_r types openca_ca_t; - -# cjp: seems like some of these types -# can be removed and replaced with generic -# etc or usr files. - -# /etc/openca standard files -type openca_etc_t; -files_config_file(openca_etc_t) - -# /etc/openca template files -type openca_etc_in_t; -files_type(openca_etc_in_t) - -# /etc/openca writeable (from CGI script) files -type openca_etc_writeable_t; -files_type(openca_etc_writeable_t) - -# /usr/share/openca/crypto/keys -type openca_usr_share_t; -files_type(openca_usr_share_t) - -# /var/lib/openca -type openca_var_lib_t; -files_type(openca_var_lib_t) - -# /var/lib/openca/crypto/keys -type openca_var_lib_keys_t; -files_type(openca_var_lib_keys_t) - -######################################## -# -# Local policy -# - -# Allow access to other files under /etc/openca -allow openca_ca_t openca_etc_t:file read_file_perms; -allow openca_ca_t openca_etc_t:dir list_dir_perms; - -# Allow access to writeable files under /etc/openca -manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) -manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) - -# Allow access to other /var/lib/openca files -manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) -manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) - -# Allow access to private CA key -manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) -manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) - -# Allow access to other /usr/share/openca files -read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) -read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) -allow openca_ca_t openca_usr_share_t:dir list_dir_perms; - -# the perl executable will be able to run a perl script -corecmd_exec_bin(openca_ca_t) - -dev_read_rand(openca_ca_t) - -files_list_default(openca_ca_t) - -init_use_fds(openca_ca_t) -init_use_script_fds(openca_ca_t) - -libs_exec_lib_files(openca_ca_t) - -apache_append_log(openca_ca_t) -# Allow the script to return its output -apache_rw_cache_files(openca_ca_t) diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc deleted file mode 100644 index 58c8816c4..000000000 --- a/policy/modules/services/openct.fc +++ /dev/null @@ -1,10 +0,0 @@ -# -# /usr -# -/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0) -/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0) - -# -# /var -# -/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if deleted file mode 100644 index 9d0a67bf9..000000000 --- a/policy/modules/services/openct.if +++ /dev/null @@ -1,95 +0,0 @@ -## Service for handling smart card readers. - -######################################## -## -## Send openct a null signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_signull',` - gen_require(` - type openct_t; - ') - - allow $1 openct_t:process signull; -') - -######################################## -## -## Execute openct in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_exec',` - gen_require(` - type openct_t, openct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, openct_exec_t) -') - -######################################## -## -## Execute a domain transition to run openct. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`openct_domtrans',` - gen_require(` - type openct_t, openct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openct_exec_t, openct_t) -') - -######################################## -## -## Read openct PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_read_pid_files',` - gen_require(` - type openct_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, openct_var_run_t, openct_var_run_t) -') - -######################################## -## -## Connect to openct over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`openct_stream_connect',` - gen_require(` - type openct_t, openct_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t) -') diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te deleted file mode 100644 index 7f8fdc2c0..000000000 --- a/policy/modules/services/openct.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(openct, 1.5.0) - -######################################## -# -# Declarations -# - -type openct_t; -type openct_exec_t; -init_daemon_domain(openct_t, openct_exec_t) - -type openct_var_run_t; -files_pid_file(openct_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit openct_t self:capability sys_tty_config; -allow openct_t self:process signal_perms; - -manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) - -kernel_read_kernel_sysctls(openct_t) -kernel_list_proc(openct_t) -kernel_read_proc_symlinks(openct_t) - -dev_read_sysfs(openct_t) -# openct asks for this -dev_rw_usbfs(openct_t) -dev_rw_smartcard(openct_t) -dev_rw_generic_usb_dev(openct_t) - -domain_use_interactive_fds(openct_t) - -# openct asks for this -files_read_etc_files(openct_t) - -fs_getattr_all_fs(openct_t) -fs_search_auto_mountpoints(openct_t) - -logging_send_syslog_msg(openct_t) - -miscfiles_read_localization(openct_t) - -userdom_dontaudit_use_unpriv_user_fds(openct_t) -userdom_dontaudit_search_user_home_dirs(openct_t) - -openct_exec(openct_t) - -optional_policy(` - seutil_sigchld_newrole(openct_t) -') - -optional_policy(` - udev_read_db(openct_t) -') diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc deleted file mode 100644 index 9c186d2cd..000000000 --- a/policy/modules/services/openvpn.fc +++ /dev/null @@ -1,17 +0,0 @@ -# -# /etc -# -/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) -/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) -/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) - -# -# /var -# -/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) -/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if deleted file mode 100644 index d88321423..000000000 --- a/policy/modules/services/openvpn.if +++ /dev/null @@ -1,163 +0,0 @@ -## full-featured SSL VPN solution - -######################################## -## -## Execute OPENVPN clients in the openvpn domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`openvpn_domtrans',` - gen_require(` - type openvpn_t, openvpn_exec_t; - ') - - domtrans_pattern($1, openvpn_exec_t, openvpn_t) -') - -######################################## -## -## Execute OPENVPN clients in the openvpn domain, and -## allow the specified role the openvpn domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`openvpn_run',` - gen_require(` - type openvpn_t; - ') - - openvpn_domtrans($1) - role $2 types openvpn_t; -') - -######################################## -## -## Send OPENVPN clients the kill signal. -## -## -## -## Domain allowed access. -## -## -# -interface(`openvpn_kill',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process sigkill; -') - -######################################## -## -## Send generic signals to OPENVPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`openvpn_signal',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signal; -') - -######################################## -## -## Send signulls to OPENVPN clients. -## -## -## -## Domain allowed access. -## -## -# -interface(`openvpn_signull',` - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signull; -') - -######################################## -## -## Allow the specified domain to read -## OpenVPN configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`openvpn_read_config',` - gen_require(` - type openvpn_etc_t; - ') - - files_search_etc($1) - allow $1 openvpn_etc_t:dir list_dir_perms; - read_files_pattern($1, openvpn_etc_t, openvpn_etc_t) - read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t) -') - -######################################## -## -## All of the rules required to administrate -## an openvpn environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the openvpn domain. -## -## -## -# -interface(`openvpn_admin',` - gen_require(` - type openvpn_t, openvpn_etc_t, openvpn_var_log_t; - type openvpn_var_run_t, openvpn_initrc_exec_t; - ') - - allow $1 openvpn_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvpn_t) - - init_labeled_script_domtrans($1, openvpn_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvpn_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, openvpn_etc_t) - - logging_list_logs($1) - admin_pattern($1, openvpn_var_log_t) - - files_list_pids($1) - admin_pattern($1, openvpn_var_run_t) -') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te deleted file mode 100644 index 8b550f4da..000000000 --- a/policy/modules/services/openvpn.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(openvpn, 1.10.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow openvpn to read home directories -##

-## -gen_tunable(openvpn_enable_homedirs, false) - -# main openvpn domain -type openvpn_t; -type openvpn_exec_t; -init_daemon_domain(openvpn_t, openvpn_exec_t) - -# configuration files -type openvpn_etc_t; -files_config_file(openvpn_etc_t) - -type openvpn_etc_rw_t; -files_config_file(openvpn_etc_rw_t) - -type openvpn_initrc_exec_t; -init_script_file(openvpn_initrc_exec_t) - -# log files -type openvpn_var_log_t; -logging_log_file(openvpn_var_log_t) - -# pid files -type openvpn_var_run_t; -files_pid_file(openvpn_var_run_t) - -######################################## -# -# openvpn local policy -# - -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; -allow openvpn_t self:process { signal getsched }; -allow openvpn_t self:fifo_file rw_fifo_file_perms; - -allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; -allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow openvpn_t self:udp_socket create_socket_perms; -allow openvpn_t self:tcp_socket server_stream_socket_perms; -allow openvpn_t self:tun_socket create; -allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; - -can_exec(openvpn_t, openvpn_etc_t) -read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) -read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) - -manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) -filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) - -allow openvpn_t openvpn_var_log_t:file manage_file_perms; -logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) - -manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(openvpn_t) -kernel_read_net_sysctls(openvpn_t) -kernel_read_network_state(openvpn_t) -kernel_read_system_state(openvpn_t) - -corecmd_exec_bin(openvpn_t) -corecmd_exec_shell(openvpn_t) - -corenet_all_recvfrom_unlabeled(openvpn_t) -corenet_all_recvfrom_netlabel(openvpn_t) -corenet_tcp_sendrecv_generic_if(openvpn_t) -corenet_udp_sendrecv_generic_if(openvpn_t) -corenet_tcp_sendrecv_generic_node(openvpn_t) -corenet_udp_sendrecv_generic_node(openvpn_t) -corenet_tcp_sendrecv_all_ports(openvpn_t) -corenet_udp_sendrecv_all_ports(openvpn_t) -corenet_tcp_bind_generic_node(openvpn_t) -corenet_udp_bind_generic_node(openvpn_t) -corenet_tcp_bind_openvpn_port(openvpn_t) -corenet_udp_bind_openvpn_port(openvpn_t) -corenet_tcp_bind_http_port(openvpn_t) -corenet_tcp_connect_openvpn_port(openvpn_t) -corenet_tcp_connect_http_port(openvpn_t) -corenet_tcp_connect_http_cache_port(openvpn_t) -corenet_rw_tun_tap_dev(openvpn_t) -corenet_sendrecv_openvpn_server_packets(openvpn_t) -corenet_sendrecv_openvpn_client_packets(openvpn_t) -corenet_sendrecv_http_client_packets(openvpn_t) - -dev_search_sysfs(openvpn_t) -dev_read_rand(openvpn_t) -dev_read_urand(openvpn_t) - -files_read_etc_files(openvpn_t) -files_read_etc_runtime_files(openvpn_t) - -auth_use_pam(openvpn_t) - -logging_send_syslog_msg(openvpn_t) - -miscfiles_read_localization(openvpn_t) -miscfiles_read_all_certs(openvpn_t) - -sysnet_dns_name_resolve(openvpn_t) -sysnet_exec_ifconfig(openvpn_t) -sysnet_manage_config(openvpn_t) -sysnet_etc_filetrans_config(openvpn_t) - -userdom_use_user_terminals(openvpn_t) - -tunable_policy(`openvpn_enable_homedirs',` - userdom_read_user_home_content_files(openvpn_t) -') - -tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(openvpn_t) - fs_read_nfs_symlinks(openvpn_t) -') - -tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(openvpn_t) - fs_read_cifs_symlinks(openvpn_t) -') - -optional_policy(` - daemontools_service_domain(openvpn_t, openvpn_exec_t) -') - -optional_policy(` - dbus_system_bus_client(openvpn_t) - dbus_connect_system_bus(openvpn_t) - - networkmanager_dbus_chat(openvpn_t) -') diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc deleted file mode 100644 index 0870c560e..000000000 --- a/policy/modules/services/pads.fc +++ /dev/null @@ -1,10 +0,0 @@ -/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) -/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) -/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) -/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) - -/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) - -/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) - -/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if deleted file mode 100644 index 8ac407e5f..000000000 --- a/policy/modules/services/pads.if +++ /dev/null @@ -1,44 +0,0 @@ -## Passive Asset Detection System -## -##

-## PADS is a libpcap based detection engine used to -## passively detect network assets. It is designed to -## complement IDS technology by providing context to IDS -## alerts. -##

-## - -######################################## -## -## All of the rules required to administrate -## an pads environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`pads_admin', ` - gen_require(` - type pads_t, pads_config_t; - type pads_var_run_t, pads_initrc_exec_t; - ') - - allow $1 pads_t:process { ptrace signal_perms }; - ps_process_pattern($1, pads_t) - - init_labeled_script_domtrans($1, pads_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pads_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, pads_var_run_t) - admin_pattern($1, pads_config_t) -') diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te deleted file mode 100644 index b246bdd50..000000000 --- a/policy/modules/services/pads.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(pads, 1.0.0) - -######################################## -# -# Declarations -# - -type pads_t; -type pads_exec_t; -init_daemon_domain(pads_t, pads_exec_t) -role system_r types pads_t; - -type pads_initrc_exec_t; -init_script_file(pads_initrc_exec_t) - -type pads_config_t; -files_config_file(pads_config_t) - -type pads_var_run_t; -files_pid_file(pads_var_run_t) - -######################################## -# -# Declarations -# - -allow pads_t self:capability { dac_override net_raw }; -allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; -allow pads_t self:udp_socket { create ioctl }; -allow pads_t self:unix_dgram_socket { write create connect }; - -allow pads_t pads_config_t:file manage_file_perms; -files_etc_filetrans(pads_t, pads_config_t, file) - -allow pads_t pads_var_run_t:file manage_file_perms; -files_pid_filetrans(pads_t, pads_var_run_t, file) - -kernel_read_sysctl(pads_t) - -corecmd_search_bin(pads_t) - -corenet_all_recvfrom_unlabeled(pads_t) -corenet_all_recvfrom_netlabel(pads_t) -corenet_tcp_sendrecv_generic_if(pads_t) -corenet_tcp_sendrecv_generic_node(pads_t) -corenet_tcp_connect_prelude_port(pads_t) - -dev_read_rand(pads_t) -dev_read_urand(pads_t) - -files_read_etc_files(pads_t) -files_search_spool(pads_t) - -miscfiles_read_localization(pads_t) - -logging_send_syslog_msg(pads_t) - -sysnet_dns_name_resolve(pads_t) - -optional_policy(` - prelude_manage_spool(pads_t) -') diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc deleted file mode 100644 index 87f17e8d2..000000000 --- a/policy/modules/services/pcscd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) - -/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if deleted file mode 100644 index 1c2a09130..000000000 --- a/policy/modules/services/pcscd.if +++ /dev/null @@ -1,95 +0,0 @@ -## PCSC smart card service - -######################################## -## -## Execute a domain transition to run pcscd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pcscd_domtrans',` - gen_require(` - type pcscd_t, pcscd_exec_t; - ') - - domtrans_pattern($1, pcscd_exec_t, pcscd_t) -') - -######################################## -## -## Read pcscd pub files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_read_pub_files',` - gen_require(` - type pcscd_var_run_t; - ') - - files_search_pids($1) - allow $1 pcscd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage pcscd pub files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_manage_pub_files',` - gen_require(` - type pcscd_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) -') - -######################################## -## -## Manage pcscd pub fifo files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_manage_pub_pipes',` - gen_require(` - type pcscd_var_run_t; - ') - - files_search_pids($1) - manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) -') - -######################################## -## -## Connect to pcscd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcscd_stream_connect',` - gen_require(` - type pcscd_t, pcscd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) -') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te deleted file mode 100644 index ceafba61c..000000000 --- a/policy/modules/services/pcscd.te +++ /dev/null @@ -1,79 +0,0 @@ -policy_module(pcscd, 1.7.0) - -######################################## -# -# Declarations -# - -type pcscd_t; -type pcscd_exec_t; -domain_type(pcscd_t) -init_daemon_domain(pcscd_t, pcscd_exec_t) - -# pid files -type pcscd_var_run_t; -files_pid_file(pcscd_var_run_t) - -######################################## -# -# pcscd local policy -# - -allow pcscd_t self:capability { dac_override dac_read_search }; -allow pcscd_t self:process signal; -allow pcscd_t self:fifo_file rw_fifo_file_perms; -allow pcscd_t self:unix_stream_socket create_stream_socket_perms; -allow pcscd_t self:unix_dgram_socket create_socket_perms; -allow pcscd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) - -kernel_read_system_state(pcscd_t) - -corenet_all_recvfrom_unlabeled(pcscd_t) -corenet_all_recvfrom_netlabel(pcscd_t) -corenet_tcp_sendrecv_generic_if(pcscd_t) -corenet_tcp_sendrecv_generic_node(pcscd_t) -corenet_tcp_sendrecv_all_ports(pcscd_t) -corenet_tcp_connect_http_port(pcscd_t) - -dev_rw_generic_usb_dev(pcscd_t) -dev_rw_smartcard(pcscd_t) -dev_rw_usbfs(pcscd_t) -dev_read_sysfs(pcscd_t) - -files_read_etc_files(pcscd_t) -files_read_etc_runtime_files(pcscd_t) - -term_use_unallocated_ttys(pcscd_t) -term_dontaudit_getattr_pty_dirs(pcscd_t) - -locallogin_use_fds(pcscd_t) - -logging_send_syslog_msg(pcscd_t) - -miscfiles_read_localization(pcscd_t) - -sysnet_dns_name_resolve(pcscd_t) - -optional_policy(` - dbus_system_bus_client(pcscd_t) - - optional_policy(` - hal_dbus_chat(pcscd_t) - ') -') - -optional_policy(` - openct_stream_connect(pcscd_t) - openct_read_pid_files(pcscd_t) - openct_signull(pcscd_t) -') - -optional_policy(` - rpm_use_script_fds(pcscd_t) -') diff --git a/policy/modules/services/pegasus.fc b/policy/modules/services/pegasus.fc deleted file mode 100644 index 95150438f..000000000 --- a/policy/modules/services/pegasus.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) - -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) - -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) - -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/policy/modules/services/pegasus.if b/policy/modules/services/pegasus.if deleted file mode 100644 index 920b13ffd..000000000 --- a/policy/modules/services/pegasus.if +++ /dev/null @@ -1 +0,0 @@ -## The Open Group Pegasus CIM/WBEM Server. diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te deleted file mode 100644 index 318511466..000000000 --- a/policy/modules/services/pegasus.te +++ /dev/null @@ -1,138 +0,0 @@ -policy_module(pegasus, 1.8.0) - -######################################## -# -# Declarations -# - -type pegasus_t; -type pegasus_exec_t; -init_daemon_domain(pegasus_t, pegasus_exec_t) - -type pegasus_data_t; -files_type(pegasus_data_t) - -type pegasus_tmp_t; -files_tmp_file(pegasus_tmp_t) - -type pegasus_conf_t; -files_type(pegasus_conf_t) - -type pegasus_mof_t; -files_type(pegasus_mof_t) - -type pegasus_var_run_t; -files_pid_file(pegasus_var_run_t) - -######################################## -# -# Local policy -# - -allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; -dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; -allow pegasus_t self:fifo_file rw_fifo_file_perms; -allow pegasus_t self:unix_dgram_socket create_socket_perms; -allow pegasus_t self:unix_stream_socket create_stream_socket_perms; -allow pegasus_t self:tcp_socket create_stream_socket_perms; - -allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; -allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir }) - -can_exec(pegasus_t, pegasus_exec_t) - -allow pegasus_t pegasus_mof_t:dir list_dir_perms; -read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) -read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) - -manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) -manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) -files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) - -allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; -manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -files_pid_filetrans(pegasus_t, pegasus_var_run_t, file) - -kernel_read_kernel_sysctls(pegasus_t) -kernel_read_fs_sysctls(pegasus_t) -kernel_read_system_state(pegasus_t) -kernel_search_vm_sysctl(pegasus_t) -kernel_read_net_sysctls(pegasus_t) - -corenet_all_recvfrom_unlabeled(pegasus_t) -corenet_all_recvfrom_netlabel(pegasus_t) -corenet_tcp_sendrecv_generic_if(pegasus_t) -corenet_tcp_sendrecv_generic_node(pegasus_t) -corenet_tcp_sendrecv_all_ports(pegasus_t) -corenet_tcp_bind_generic_node(pegasus_t) -corenet_tcp_bind_pegasus_http_port(pegasus_t) -corenet_tcp_bind_pegasus_https_port(pegasus_t) -corenet_tcp_connect_pegasus_http_port(pegasus_t) -corenet_tcp_connect_pegasus_https_port(pegasus_t) -corenet_tcp_connect_generic_port(pegasus_t) -corenet_sendrecv_generic_client_packets(pegasus_t) -corenet_sendrecv_pegasus_http_client_packets(pegasus_t) -corenet_sendrecv_pegasus_http_server_packets(pegasus_t) -corenet_sendrecv_pegasus_https_client_packets(pegasus_t) -corenet_sendrecv_pegasus_https_server_packets(pegasus_t) - -corecmd_exec_bin(pegasus_t) -corecmd_exec_shell(pegasus_t) - -dev_read_sysfs(pegasus_t) -dev_read_urand(pegasus_t) - -fs_getattr_all_fs(pegasus_t) -fs_search_auto_mountpoints(pegasus_t) -files_getattr_all_dirs(pegasus_t) - -auth_use_nsswitch(pegasus_t) -auth_domtrans_chk_passwd(pegasus_t) - -domain_use_interactive_fds(pegasus_t) -domain_read_all_domains_state(pegasus_t) - -files_read_etc_files(pegasus_t) -files_list_var_lib(pegasus_t) -files_read_var_lib_files(pegasus_t) -files_read_var_lib_symlinks(pegasus_t) - -hostname_exec(pegasus_t) - -init_rw_utmp(pegasus_t) -init_stream_connect_script(pegasus_t) - -logging_send_audit_msgs(pegasus_t) -logging_send_syslog_msg(pegasus_t) - -miscfiles_read_localization(pegasus_t) - -sysnet_read_config(pegasus_t) -sysnet_domtrans_ifconfig(pegasus_t) - -userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -userdom_dontaudit_search_user_home_dirs(pegasus_t) - -optional_policy(` - rpm_exec(pegasus_t) -') - -optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) -') - -optional_policy(` - udev_read_db(pegasus_t) -') - -optional_policy(` - unconfined_signull(pegasus_t) -') diff --git a/policy/modules/services/perdition.fc b/policy/modules/services/perdition.fc deleted file mode 100644 index bcdf89b7c..000000000 --- a/policy/modules/services/perdition.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0) - -/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0) diff --git a/policy/modules/services/perdition.if b/policy/modules/services/perdition.if deleted file mode 100644 index 2b0bd6412..000000000 --- a/policy/modules/services/perdition.if +++ /dev/null @@ -1,15 +0,0 @@ -## Perdition POP and IMAP proxy - -######################################## -## -## Connect to perdition over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`perdition_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te deleted file mode 100644 index 363627710..000000000 --- a/policy/modules/services/perdition.te +++ /dev/null @@ -1,75 +0,0 @@ -policy_module(perdition, 1.7.0) - -######################################## -# -# Declarations -# - -type perdition_t; -type perdition_exec_t; -init_daemon_domain(perdition_t, perdition_exec_t) - -type perdition_etc_t; -files_config_file(perdition_etc_t) - -type perdition_var_run_t; -files_pid_file(perdition_var_run_t) - -######################################## -# -# Local policy -# - -allow perdition_t self:capability { setgid setuid }; -dontaudit perdition_t self:capability sys_tty_config; -allow perdition_t self:process signal_perms; -allow perdition_t self:tcp_socket create_stream_socket_perms; -allow perdition_t self:udp_socket create_socket_perms; - -allow perdition_t perdition_etc_t:file read_file_perms; -files_search_etc(perdition_t) - -manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) -files_pid_filetrans(perdition_t, perdition_var_run_t, file) - -kernel_read_kernel_sysctls(perdition_t) -kernel_list_proc(perdition_t) -kernel_read_proc_symlinks(perdition_t) - -corenet_all_recvfrom_unlabeled(perdition_t) -corenet_all_recvfrom_netlabel(perdition_t) -corenet_tcp_sendrecv_generic_if(perdition_t) -corenet_udp_sendrecv_generic_if(perdition_t) -corenet_tcp_sendrecv_generic_node(perdition_t) -corenet_udp_sendrecv_generic_node(perdition_t) -corenet_tcp_sendrecv_all_ports(perdition_t) -corenet_udp_sendrecv_all_ports(perdition_t) -corenet_tcp_bind_generic_node(perdition_t) -corenet_tcp_bind_pop_port(perdition_t) -corenet_sendrecv_pop_server_packets(perdition_t) - -dev_read_sysfs(perdition_t) - -domain_use_interactive_fds(perdition_t) - -fs_getattr_all_fs(perdition_t) -fs_search_auto_mountpoints(perdition_t) - -files_read_etc_files(perdition_t) - -logging_send_syslog_msg(perdition_t) - -miscfiles_read_localization(perdition_t) - -sysnet_read_config(perdition_t) - -userdom_dontaudit_use_unpriv_user_fds(perdition_t) -userdom_dontaudit_search_user_home_dirs(perdition_t) - -optional_policy(` - seutil_sigchld_newrole(perdition_t) -') - -optional_policy(` - udev_read_db(perdition_t) -') diff --git a/policy/modules/services/pingd.fc b/policy/modules/services/pingd.fc deleted file mode 100644 index ea085f7e3..000000000 --- a/policy/modules/services/pingd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) -/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) - -/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) - -/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if deleted file mode 100644 index 8688aaec2..000000000 --- a/policy/modules/services/pingd.if +++ /dev/null @@ -1,97 +0,0 @@ -## Pingd of the Whatsup cluster node up/down detection utility - -######################################## -## -## Execute a domain transition to run pingd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pingd_domtrans',` - gen_require(` - type pingd_t, pingd_exec_t; - ') - - domtrans_pattern($1, pingd_exec_t, pingd_t) -') - -####################################### -## -## Read pingd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pingd_read_config',` - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, pingd_etc_t, pingd_etc_t) -') - -####################################### -## -## Manage pingd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pingd_manage_config',` - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) - manage_files_pattern($1, pingd_etc_t, pingd_etc_t) - -') - -####################################### -## -## All of the rules required to administrate -## an pingd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the pingd domain. -## -## -## -# -interface(`pingd_admin',` - gen_require(` - type pingd_t, pingd_etc_t; - type pingd_initrc_exec_t, pingd_modules_t; - ') - - allow $1 pingd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pingd_t) - - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pingd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, pingd_etc_t) - - files_list_usr($1) - admin_pattern($1, pingd_modules_t) -') diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te deleted file mode 100644 index e9cf8a495..000000000 --- a/policy/modules/services/pingd.te +++ /dev/null @@ -1,47 +0,0 @@ -policy_module(pingd, 1.0.0) - -######################################## -# -# Declarations -# - -type pingd_t; -type pingd_exec_t; -init_daemon_domain(pingd_t, pingd_exec_t) - -# type for config -type pingd_etc_t; -files_type(pingd_etc_t) - -type pingd_initrc_exec_t; -init_script_file(pingd_initrc_exec_t) - -# type for pingd modules -type pingd_modules_t; -files_type(pingd_modules_t) - -######################################## -# -# pingd local policy -# - -allow pingd_t self:capability net_raw; -allow pingd_t self:tcp_socket create_stream_socket_perms; -allow pingd_t self:rawip_socket { write read create bind }; - -read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) - -read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) -mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) - -corenet_raw_bind_generic_node(pingd_t) -corenet_tcp_bind_generic_node(pingd_t) -corenet_tcp_bind_pingd_port(pingd_t) - -auth_use_nsswitch(pingd_t) - -files_search_usr(pingd_t) - -logging_send_syslog_msg(pingd_t) - -miscfiles_read_localization(pingd_t) diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc deleted file mode 100644 index 5702ca426..000000000 --- a/policy/modules/services/plymouthd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - -/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) -/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if deleted file mode 100644 index 9759ed80b..000000000 --- a/policy/modules/services/plymouthd.if +++ /dev/null @@ -1,260 +0,0 @@ -## Plymouth graphical boot - -######################################## -## -## Execute a domain transition to run plymouthd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`plymouthd_domtrans', ` - gen_require(` - type plymouthd_t, plymouthd_exec_t; - ') - - domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) -') - -######################################## -## -## Execute the plymoth daemon in the current domain -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_exec', ` - gen_require(` - type plymouthd_exec_t; - ') - - can_exec($1, plymouthd_exec_t) -') - -######################################## -## -## Allow domain to Stream socket connect -## to Plymouth daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_stream_connect', ` - gen_require(` - type plymouthd_t; - ') - - allow $1 plymouthd_t:unix_stream_socket connectto; -') - -######################################## -## -## Execute the plymoth command in the current domain -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_exec_plymouth', ` - gen_require(` - type plymouth_exec_t; - ') - - can_exec($1, plymouth_exec_t) -') - -######################################## -## -## Execute a domain transition to run plymouthd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`plymouthd_domtrans_plymouth', ` - gen_require(` - type plymouth_t, plymouth_exec_t; - ') - - domtrans_pattern($1, plymouth_exec_t, plymouth_t) -') - -######################################## -## -## Search plymouthd spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_search_spool', ` - gen_require(` - type plymouthd_spool_t; - ') - - allow $1 plymouthd_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Read plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_read_spool_files', ` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## -## Create, read, write, and delete -## plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_manage_spool_files', ` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## -## Search plymouthd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_search_lib', ` - gen_require(` - type plymouthd_var_lib_t; - ') - - allow $1 plymouthd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_read_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_manage_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## -## Read plymouthd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouthd_read_pid_files', ` - gen_require(` - type plymouthd_var_run_t; - ') - - files_search_pids($1) - allow $1 plymouthd_var_run_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an plymouthd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`plymouthd_admin', ` - gen_require(` - type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; - type plymouthd_var_run_t; - ') - - allow $1 plymouthd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, plymouthd_t, plymouthd_t) - - admin_pattern($1, plymouthd_spool_t) - - admin_pattern($1, plymouthd_var_lib_t) - - admin_pattern($1, plymouthd_var_run_t) -') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te deleted file mode 100644 index 86700edbd..000000000 --- a/policy/modules/services/plymouthd.te +++ /dev/null @@ -1,99 +0,0 @@ -policy_module(plymouthd, 1.1.0) - -######################################## -# -# Declarations -# - -type plymouth_t; -type plymouth_exec_t; -application_domain(plymouth_t, plymouth_exec_t) - -type plymouthd_t; -type plymouthd_exec_t; -init_daemon_domain(plymouthd_t, plymouthd_exec_t) - -type plymouthd_spool_t; -files_type(plymouthd_spool_t) - -type plymouthd_var_lib_t; -files_type(plymouthd_var_lib_t) - -type plymouthd_var_run_t; -files_pid_file(plymouthd_var_run_t) - -######################################## -# -# Plymouthd private policy -# - -allow plymouthd_t self:capability { sys_admin sys_tty_config }; -dontaudit plymouthd_t self:capability dac_override; -allow plymouthd_t self:process { signal getsched }; -allow plymouthd_t self:fifo_file rw_fifo_file_perms; -allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) - -kernel_read_system_state(plymouthd_t) -kernel_request_load_module(plymouthd_t) -kernel_change_ring_buffer_level(plymouthd_t) - -dev_rw_dri(plymouthd_t) -dev_read_sysfs(plymouthd_t) -dev_read_framebuffer(plymouthd_t) -dev_write_framebuffer(plymouthd_t) - -domain_use_interactive_fds(plymouthd_t) - -files_read_etc_files(plymouthd_t) -files_read_usr_files(plymouthd_t) - -miscfiles_read_localization(plymouthd_t) -miscfiles_read_fonts(plymouthd_t) -miscfiles_manage_fonts_cache(plymouthd_t) - -######################################## -# -# Plymouth private policy -# - -allow plymouth_t self:process signal; -allow plymouth_t self:fifo_file rw_file_perms; -allow plymouth_t self:unix_stream_socket create_stream_socket_perms; - -kernel_read_system_state(plymouth_t) - -domain_use_interactive_fds(plymouth_t) - -files_read_etc_files(plymouth_t) - -term_use_ptmx(plymouth_t) - -miscfiles_read_localization(plymouth_t) - -sysnet_read_config(plymouth_t) - -plymouthd_stream_connect(plymouth_t) - -ifdef(`hide_broken_symptoms', ` - optional_policy(` - hal_dontaudit_write_log(plymouth_t) - hal_dontaudit_rw_pipes(plymouth_t) - ') -') - -optional_policy(` - lvm_domtrans(plymouth_t) -') diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc deleted file mode 100644 index 27c739c97..000000000 --- a/policy/modules/services/policykit.fc +++ /dev/null @@ -1,15 +0,0 @@ -/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) - -/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) - -/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) -/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) - diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if deleted file mode 100644 index 48ff1e8a3..000000000 --- a/policy/modules/services/policykit.if +++ /dev/null @@ -1,209 +0,0 @@ -## Policy framework for controlling privileges for system-wide services. - -######################################## -## -## Send and receive messages from -## policykit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_dbus_chat',` - gen_require(` - type policykit_t; - class dbus send_msg; - ') - - allow $1 policykit_t:dbus send_msg; - allow policykit_t $1:dbus send_msg; -') - -######################################## -## -## Execute a domain transition to run polkit_auth. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`policykit_domtrans_auth',` - gen_require(` - type policykit_auth_t, policykit_auth_exec_t; - ') - - domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) -') - -######################################## -## -## Execute a policy_auth in the policy_auth domain, and -## allow the specified role the policy_auth domain, -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`policykit_run_auth',` - gen_require(` - type policykit_auth_t; - ') - - policykit_domtrans_auth($1) - role $2 types policykit_auth_t; -') - -######################################## -## -## Execute a domain transition to run polkit_grant. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`policykit_domtrans_grant',` - gen_require(` - type policykit_grant_t, policykit_grant_exec_t; - ') - - domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) -') - -######################################## -## -## Execute a policy_grant in the policy_grant domain, and -## allow the specified role the policy_grant domain, -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`policykit_run_grant',` - gen_require(` - type policykit_grant_t; - ') - - policykit_domtrans_grant($1) - role $2 types policykit_grant_t; - - allow $1 policykit_grant_t:process signal; - - ps_process_pattern(policykit_grant_t, $1) -') - -######################################## -## -## read policykit reload files -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_read_reload',` - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_reload_t, policykit_reload_t) -') - -######################################## -## -## rw policykit reload files -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_rw_reload',` - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, policykit_reload_t, policykit_reload_t) -') - -######################################## -## -## Execute a domain transition to run polkit_resolve. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`policykit_domtrans_resolve',` - gen_require(` - type policykit_resolve_t, policykit_resolve_exec_t; - ') - - domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) - - ps_process_pattern(policykit_resolve_t, $1) -') - -######################################## -## -## Search policykit lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_search_lib',` - gen_require(` - type policykit_var_lib_t; - ') - - allow $1 policykit_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## read policykit lib files -## -## -## -## Domain allowed access. -## -## -# -interface(`policykit_read_lib',` - gen_require(` - type policykit_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) -') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te deleted file mode 100644 index 1e7169d87..000000000 --- a/policy/modules/services/policykit.te +++ /dev/null @@ -1,210 +0,0 @@ -policy_module(policykit, 1.1.0) - -######################################## -# -# Declarations -# - -type policykit_t alias polkit_t; -type policykit_exec_t alias polkit_exec_t; -init_daemon_domain(policykit_t, policykit_exec_t) - -type policykit_auth_t alias polkit_auth_t; -type policykit_auth_exec_t alias polkit_auth_exec_t; -init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) - -type policykit_grant_t alias polkit_grant_t; -type policykit_grant_exec_t alias polkit_grant_exec_t; -init_system_domain(policykit_grant_t, policykit_grant_exec_t) - -type policykit_resolve_t alias polkit_resolve_t; -type policykit_resolve_exec_t alias polkit_resolve_exec_t; -init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) - -type policykit_reload_t alias polkit_reload_t; -files_type(policykit_reload_t) - -type policykit_var_lib_t alias polkit_var_lib_t; -files_type(policykit_var_lib_t) - -type policykit_var_run_t alias polkit_var_run_t; -files_pid_file(policykit_var_run_t) - -######################################## -# -# policykit local policy -# - -allow policykit_t self:capability { setgid setuid }; -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; -allow policykit_t self:unix_dgram_socket create_socket_perms; -allow policykit_t self:unix_stream_socket create_stream_socket_perms; - -policykit_domtrans_auth(policykit_t) - -can_exec(policykit_t, policykit_exec_t) -corecmd_exec_bin(policykit_t) - -rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) - -policykit_domtrans_resolve(policykit_t) - -manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) - -manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(policykit_t) - -files_read_etc_files(policykit_t) -files_read_usr_files(policykit_t) - -auth_use_nsswitch(policykit_t) - -logging_send_syslog_msg(policykit_t) - -miscfiles_read_localization(policykit_t) - -userdom_read_all_users_state(policykit_t) - -######################################## -# -# polkit_auth local policy -# - -allow policykit_auth_t self:capability setgid; -allow policykit_auth_t self:process getattr; -allow policykit_auth_t self:fifo_file rw_file_perms; -allow policykit_auth_t self:unix_dgram_socket create_socket_perms; -allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; - -can_exec(policykit_auth_t, policykit_auth_exec_t) -corecmd_search_bin(policykit_auth_t) - -rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) - -manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) - -manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) - -kernel_read_system_state(policykit_auth_t) - -files_read_etc_files(policykit_auth_t) -files_read_usr_files(policykit_auth_t) - -auth_use_nsswitch(policykit_auth_t) - -logging_send_syslog_msg(policykit_auth_t) - -miscfiles_read_localization(policykit_auth_t) - -userdom_dontaudit_read_user_home_content_files(policykit_auth_t) - -optional_policy(` - dbus_system_bus_client(policykit_auth_t) - dbus_session_bus_client(policykit_auth_t) - - optional_policy(` - consolekit_dbus_chat(policykit_auth_t) - ') -') - -optional_policy(` - kernel_search_proc(policykit_auth_t) - hal_read_state(policykit_auth_t) -') - -######################################## -# -# polkit_grant local policy -# - -allow policykit_grant_t self:capability setuid; -allow policykit_grant_t self:process getattr; -allow policykit_grant_t self:fifo_file rw_file_perms; -allow policykit_grant_t self:unix_dgram_socket create_socket_perms; -allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; - -policykit_domtrans_auth(policykit_grant_t) - -policykit_domtrans_resolve(policykit_grant_t) - -can_exec(policykit_grant_t, policykit_grant_exec_t) -corecmd_search_bin(policykit_grant_t) - -rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) - -manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t) - -manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) - -files_read_etc_files(policykit_grant_t) -files_read_usr_files(policykit_grant_t) - -auth_use_nsswitch(policykit_grant_t) -auth_domtrans_chk_passwd(policykit_grant_t) - -logging_send_syslog_msg(policykit_grant_t) - -miscfiles_read_localization(policykit_grant_t) - -userdom_read_all_users_state(policykit_grant_t) - -optional_policy(` - dbus_system_bus_client(policykit_grant_t) - - optional_policy(` - consolekit_dbus_chat(policykit_grant_t) - ') -') - -######################################## -# -# polkit_resolve local policy -# - -allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; -allow policykit_resolve_t self:process getattr; -allow policykit_resolve_t self:fifo_file rw_file_perms; -allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; -allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; - -policykit_domtrans_auth(policykit_resolve_t) - -read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) - -read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) - -can_exec(policykit_resolve_t, policykit_resolve_exec_t) -corecmd_search_bin(policykit_resolve_t) - -files_read_etc_files(policykit_resolve_t) -files_read_usr_files(policykit_resolve_t) - -mcs_ptrace_all(policykit_resolve_t) - -auth_use_nsswitch(policykit_resolve_t) - -logging_send_syslog_msg(policykit_resolve_t) - -miscfiles_read_localization(policykit_resolve_t) - -userdom_read_all_users_state(policykit_resolve_t) - -optional_policy(` - dbus_system_bus_client(policykit_resolve_t) - - optional_policy(` - consolekit_dbus_chat(policykit_resolve_t) - ') -') - -optional_policy(` - kernel_search_proc(policykit_resolve_t) - hal_read_state(policykit_resolve_t) -') - diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc deleted file mode 100644 index 76f58342b..000000000 --- a/policy/modules/services/portmap.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) - -ifdef(`distro_debian',` -/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -', ` -/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -') - -/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if deleted file mode 100644 index 374afcf7e..000000000 --- a/policy/modules/services/portmap.if +++ /dev/null @@ -1,89 +0,0 @@ -## RPC port mapping service. - -######################################## -## -## Execute portmap_helper in the helper domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portmap_domtrans_helper',` - gen_require(` - type portmap_helper_t, portmap_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t) -') - -######################################## -## -## Execute portmap helper in the helper domain, and -## allow the specified role the helper domain. -## Communicate with portmap. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`portmap_run_helper',` - gen_require(` - type portmap_t, portmap_helper_t; - ') - - portmap_domtrans_helper($1) - role $2 types portmap_helper_t; -') - -######################################## -## -## Send UDP network traffic to portmap. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`portmap_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Send and receive UDP network traffic from portmap. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`portmap_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Connect to portmap over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`portmap_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te deleted file mode 100644 index 333a1fe06..000000000 --- a/policy/modules/services/portmap.te +++ /dev/null @@ -1,150 +0,0 @@ -policy_module(portmap, 1.9.0) - -######################################## -# -# Declarations -# - -type portmap_t; -type portmap_exec_t; -init_daemon_domain(portmap_t, portmap_exec_t) - -type portmap_helper_t; -type portmap_helper_exec_t; -init_system_domain(portmap_helper_t, portmap_helper_exec_t) -role system_r types portmap_helper_t; - -type portmap_tmp_t; -files_tmp_file(portmap_tmp_t) - -type portmap_var_run_t; -files_pid_file(portmap_var_run_t) - -######################################## -# -# Portmap local policy -# - -allow portmap_t self:capability { setuid setgid }; -dontaudit portmap_t self:capability sys_tty_config; -allow portmap_t self:netlink_route_socket r_netlink_socket_perms; -allow portmap_t self:unix_dgram_socket create_socket_perms; -allow portmap_t self:unix_stream_socket create_stream_socket_perms; -allow portmap_t self:tcp_socket create_stream_socket_perms; -allow portmap_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) -manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) -files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) - -manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) -files_pid_filetrans(portmap_t, portmap_var_run_t, file) - -kernel_read_system_state(portmap_t) -kernel_read_kernel_sysctls(portmap_t) - -corenet_all_recvfrom_unlabeled(portmap_t) -corenet_all_recvfrom_netlabel(portmap_t) -corenet_tcp_sendrecv_generic_if(portmap_t) -corenet_udp_sendrecv_generic_if(portmap_t) -corenet_tcp_sendrecv_generic_node(portmap_t) -corenet_udp_sendrecv_generic_node(portmap_t) -corenet_tcp_sendrecv_all_ports(portmap_t) -corenet_udp_sendrecv_all_ports(portmap_t) -corenet_tcp_bind_generic_node(portmap_t) -corenet_udp_bind_generic_node(portmap_t) -corenet_tcp_bind_portmap_port(portmap_t) -corenet_udp_bind_portmap_port(portmap_t) -corenet_tcp_connect_all_ports(portmap_t) -corenet_sendrecv_portmap_client_packets(portmap_t) -corenet_sendrecv_portmap_server_packets(portmap_t) -# portmap binds to arbitary ports -corenet_tcp_bind_generic_port(portmap_t) -corenet_udp_bind_generic_port(portmap_t) -corenet_tcp_bind_reserved_port(portmap_t) -corenet_udp_bind_reserved_port(portmap_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) -corenet_dontaudit_udp_bind_all_ports(portmap_t) - -dev_read_sysfs(portmap_t) - -fs_getattr_all_fs(portmap_t) -fs_search_auto_mountpoints(portmap_t) - -domain_use_interactive_fds(portmap_t) - -files_read_etc_files(portmap_t) - -logging_send_syslog_msg(portmap_t) - -miscfiles_read_localization(portmap_t) - -sysnet_read_config(portmap_t) - -userdom_dontaudit_use_unpriv_user_fds(portmap_t) -userdom_dontaudit_search_user_home_dirs(portmap_t) - -optional_policy(` - nis_use_ypbind(portmap_t) -') - -optional_policy(` - nscd_socket_use(portmap_t) -') - -optional_policy(` - seutil_sigchld_newrole(portmap_t) -') - -optional_policy(` - udev_read_db(portmap_t) -') - -######################################## -# -# Portmap helper local policy -# - -dontaudit portmap_helper_t self:capability net_admin; -allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; -allow portmap_helper_t self:tcp_socket create_stream_socket_perms; -allow portmap_helper_t self:udp_socket create_socket_perms; - -allow portmap_helper_t portmap_var_run_t:file manage_file_perms; -files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) - -corenet_all_recvfrom_unlabeled(portmap_helper_t) -corenet_all_recvfrom_netlabel(portmap_helper_t) -corenet_tcp_sendrecv_generic_if(portmap_helper_t) -corenet_udp_sendrecv_generic_if(portmap_helper_t) -corenet_raw_sendrecv_generic_if(portmap_helper_t) -corenet_tcp_sendrecv_generic_node(portmap_helper_t) -corenet_udp_sendrecv_generic_node(portmap_helper_t) -corenet_raw_sendrecv_generic_node(portmap_helper_t) -corenet_tcp_sendrecv_all_ports(portmap_helper_t) -corenet_udp_sendrecv_all_ports(portmap_helper_t) -corenet_tcp_bind_generic_node(portmap_helper_t) -corenet_udp_bind_generic_node(portmap_helper_t) -corenet_tcp_bind_reserved_port(portmap_helper_t) -corenet_udp_bind_reserved_port(portmap_helper_t) -corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) -corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) -corenet_tcp_connect_all_ports(portmap_helper_t) - -domain_dontaudit_use_interactive_fds(portmap_helper_t) - -files_read_etc_files(portmap_helper_t) -files_rw_generic_pids(portmap_helper_t) - -init_rw_utmp(portmap_helper_t) - -logging_send_syslog_msg(portmap_helper_t) - -sysnet_read_config(portmap_helper_t) - -userdom_use_user_terminals(portmap_helper_t) -userdom_dontaudit_use_all_users_fds(portmap_helper_t) - -optional_policy(` - nis_use_ypbind(portmap_helper_t) -') diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc deleted file mode 100644 index 4313a6f0a..000000000 --- a/policy/modules/services/portreserve.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) - -/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) - -/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) - -/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if deleted file mode 100644 index 7719d1605..000000000 --- a/policy/modules/services/portreserve.if +++ /dev/null @@ -1,120 +0,0 @@ -## Reserve well-known ports in the RPC port range. - -######################################## -## -## Execute a domain transition to run portreserve. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portreserve_domtrans',` - gen_require(` - type portreserve_t, portreserve_exec_t; - ') - - domtrans_pattern($1, portreserve_exec_t, portreserve_t) -') - -####################################### -## -## Allow the specified domain to read -## portreserve etcuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`portreserve_read_config',` - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - allow $1 portreserve_etc_t:dir list_dir_perms; - read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) - read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -') - -####################################### -## -## Allow the specified domain to manage -## portreserve etcuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`portreserve_manage_config',` - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) - manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) - read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -') - -######################################## -## -## Execute portreserve in the portreserve domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portreserve_initrc_domtrans',` - gen_require(` - type portreserve_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, portreserve_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an portreserve environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`portreserve_admin',` - gen_require(` - type portreserve_t, portreserve_etc_t, portreserve_var_run_t; - type portreserve_initrc_exec_t; - ') - - allow $1 portreserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, portreserve_t) - - portreserve_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 portreserve_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, portreserve_etc_t) - - files_list_pids($1) - admin_pattern($1, portreserve_var_run_t) -') diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te deleted file mode 100644 index 152af9296..000000000 --- a/policy/modules/services/portreserve.te +++ /dev/null @@ -1,54 +0,0 @@ -policy_module(portreserve, 1.3.0) - -######################################## -# -# Declarations -# - -type portreserve_t; -type portreserve_exec_t; -init_daemon_domain(portreserve_t, portreserve_exec_t) - -type portreserve_initrc_exec_t; -init_script_file(portreserve_initrc_exec_t) - -type portreserve_etc_t; -files_type(portreserve_etc_t) - -type portreserve_var_run_t; -files_pid_file(portreserve_var_run_t) - -######################################## -# -# Portreserve local policy -# - -allow portreserve_t self:capability { dac_read_search dac_override }; -allow portreserve_t self:fifo_file rw_fifo_file_perms; -allow portreserve_t self:unix_stream_socket create_stream_socket_perms; -allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; -allow portreserve_t self:tcp_socket create_socket_perms; -allow portreserve_t self:udp_socket create_socket_perms; - -# Read etc files -list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) -read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) - -# Manage /var/run/portreserve/* -manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) - -corecmd_getattr_bin_files(portreserve_t) - -corenet_all_recvfrom_unlabeled(portreserve_t) -corenet_all_recvfrom_netlabel(portreserve_t) -corenet_tcp_bind_generic_node(portreserve_t) -corenet_udp_bind_generic_node(portreserve_t) -corenet_tcp_bind_all_ports(portreserve_t) -corenet_udp_bind_all_ports(portreserve_t) - -files_read_etc_files(portreserve_t) - -userdom_dontaudit_search_user_home_content(portreserve_t) diff --git a/policy/modules/services/portslave.fc b/policy/modules/services/portslave.fc deleted file mode 100644 index 2dd77861b..000000000 --- a/policy/modules/services/portslave.fc +++ /dev/null @@ -1,4 +0,0 @@ -/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0) - -/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0) -/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0) diff --git a/policy/modules/services/portslave.if b/policy/modules/services/portslave.if deleted file mode 100644 index b53ff7788..000000000 --- a/policy/modules/services/portslave.if +++ /dev/null @@ -1,19 +0,0 @@ -## Portslave terminal server software - -######################################## -## -## Execute portslave with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`portslave_domtrans',` - gen_require(` - type portslave_t, portslave_exec_t; - ') - - domtrans_pattern($1, portslave_exec_t, portslave_t) -') diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te deleted file mode 100644 index 69c331ee6..000000000 --- a/policy/modules/services/portslave.te +++ /dev/null @@ -1,125 +0,0 @@ -policy_module(portslave, 1.7.0) - -######################################## -# -# Declarations -# - -type portslave_t; -type portslave_exec_t; -init_domain(portslave_t, portslave_exec_t) -init_daemon_domain(portslave_t, portslave_exec_t) - -type portslave_etc_t; -files_config_file(portslave_etc_t) - -type portslave_lock_t; -files_lock_file(portslave_lock_t) - -######################################## -# -# Local policy -# - -# setuid setgid net_admin fsetid for pppd -# sys_admin for ctlportslave -# net_bind_service for rlogin -allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; -dontaudit portslave_t self:capability sys_admin; -allow portslave_t self:process signal_perms; -allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow portslave_t self:fd use; -allow portslave_t self:fifo_file rw_fifo_file_perms; -allow portslave_t self:unix_dgram_socket create_socket_perms; -allow portslave_t self:unix_stream_socket create_stream_socket_perms; -allow portslave_t self:unix_dgram_socket sendto; -allow portslave_t self:unix_stream_socket connectto; -allow portslave_t self:shm create_shm_perms; -allow portslave_t self:sem create_sem_perms; -allow portslave_t self:msgq create_msgq_perms; -allow portslave_t self:msg { send receive }; -allow portslave_t self:tcp_socket create_stream_socket_perms; -allow portslave_t self:udp_socket create_socket_perms; - -allow portslave_t portslave_etc_t:dir list_dir_perms; -read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) -read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) - -allow portslave_t portslave_lock_t:file manage_file_perms; -files_lock_filetrans(portslave_t, portslave_lock_t, file) - -kernel_read_system_state(portslave_t) -kernel_read_kernel_sysctls(portslave_t) - -corecmd_exec_bin(portslave_t) -corecmd_exec_shell(portslave_t) - -corenet_all_recvfrom_unlabeled(portslave_t) -corenet_all_recvfrom_netlabel(portslave_t) -corenet_tcp_sendrecv_generic_if(portslave_t) -corenet_udp_sendrecv_generic_if(portslave_t) -corenet_tcp_sendrecv_generic_node(portslave_t) -corenet_udp_sendrecv_generic_node(portslave_t) -corenet_tcp_sendrecv_all_ports(portslave_t) -corenet_udp_sendrecv_all_ports(portslave_t) -corenet_rw_ppp_dev(portslave_t) - -dev_read_sysfs(portslave_t) -# for ssh -dev_read_urand(portslave_t) - -domain_use_interactive_fds(portslave_t) - -files_read_etc_files(portslave_t) -files_read_etc_runtime_files(portslave_t) -files_exec_etc_files(portslave_t) - -fs_search_auto_mountpoints(portslave_t) -fs_getattr_xattr_fs(portslave_t) - -term_use_unallocated_ttys(portslave_t) -term_setattr_unallocated_ttys(portslave_t) -term_use_all_ttys(portslave_t) -term_search_ptys(portslave_t) - -auth_rw_login_records(portslave_t) -auth_domtrans_chk_passwd(portslave_t) - -init_rw_utmp(portslave_t) - -logging_send_syslog_msg(portslave_t) -logging_search_logs(portslave_t) - -sysnet_read_config(portslave_t) - -userdom_use_unpriv_users_fds(portslave_t) -# for ~/.ppprc - if it actually exists then you need some policy to read it -userdom_search_user_home_dirs(portslave_t) - -mta_send_mail(portslave_t) - -# this should probably be a domtrans to pppd -# instead of exec. -ppp_read_rw_config(portslave_t) -ppp_exec(portslave_t) -ppp_read_secrets(portslave_t) -ppp_manage_pid_files(portslave_t) -ppp_pid_filetrans(portslave_t) - -ssh_exec(portslave_t) - -optional_policy(` - inetd_tcp_service_domain(portslave_t, portslave_exec_t) -') - -optional_policy(` - nis_use_ypbind(portslave_t) -') - -optional_policy(` - seutil_sigchld_newrole(portslave_t) -') - -optional_policy(` - udev_read_db(portslave_t) -') diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc deleted file mode 100644 index a3e85c915..000000000 --- a/policy/modules/services/postfix.fc +++ /dev/null @@ -1,53 +0,0 @@ -# postfix -/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) -ifdef(`distro_redhat', ` -/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -', ` -/usr/lib(64)?/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/lib(64)?/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -/usr/lib(64)?/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -/usr/lib(64)?/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/lib(64)?/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -/usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -/usr/lib(64)?/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib(64)?/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib(64)?/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/lib(64)?/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -/usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -/usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -') -/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) -/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) -/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0) -/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) -/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - -/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0) - -/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) -/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) -/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) -/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if deleted file mode 100644 index 46bee1291..000000000 --- a/policy/modules/services/postfix.if +++ /dev/null @@ -1,623 +0,0 @@ -## Postfix email server - -######################################## -## -## Postfix stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_stub',` - gen_require(` - type postfix_master_t; - ') -') - -######################################## -## -## Creates types and rules for a basic -## postfix process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`postfix_domain_template',` - type postfix_$1_t; - type postfix_$1_exec_t; - domain_type(postfix_$1_t) - domain_entry_file(postfix_$1_t, postfix_$1_exec_t) - role system_r types postfix_$1_t; - - dontaudit postfix_$1_t self:capability sys_tty_config; - allow postfix_$1_t self:process { signal_perms setpgid }; - allow postfix_$1_t self:unix_dgram_socket create_socket_perms; - allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; - allow postfix_$1_t self:unix_stream_socket connectto; - - allow postfix_master_t postfix_$1_t:process signal; - #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 - allow postfix_$1_t postfix_master_t:file read; - - allow postfix_$1_t postfix_etc_t:dir list_dir_perms; - read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) - read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) - - can_exec(postfix_$1_t, postfix_$1_exec_t) - - allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl }; - - allow postfix_$1_t postfix_master_t:process sigchld; - - allow postfix_$1_t postfix_spool_t:dir list_dir_perms; - - allow postfix_$1_t postfix_var_run_t:file manage_file_perms; - files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) - - kernel_read_system_state(postfix_$1_t) - kernel_read_network_state(postfix_$1_t) - kernel_read_all_sysctls(postfix_$1_t) - - dev_read_sysfs(postfix_$1_t) - dev_read_rand(postfix_$1_t) - dev_read_urand(postfix_$1_t) - - fs_search_auto_mountpoints(postfix_$1_t) - fs_getattr_xattr_fs(postfix_$1_t) - fs_rw_anon_inodefs_files(postfix_$1_t) - - term_dontaudit_use_console(postfix_$1_t) - - corecmd_exec_shell(postfix_$1_t) - - files_read_etc_files(postfix_$1_t) - files_read_etc_runtime_files(postfix_$1_t) - files_read_usr_symlinks(postfix_$1_t) - files_search_spool(postfix_$1_t) - files_getattr_tmp_dirs(postfix_$1_t) - files_search_all_mountpoints(postfix_$1_t) - - init_dontaudit_use_fds(postfix_$1_t) - init_sigchld(postfix_$1_t) - - auth_use_nsswitch(postfix_$1_t) - - logging_send_syslog_msg(postfix_$1_t) - - miscfiles_read_localization(postfix_$1_t) - miscfiles_read_generic_certs(postfix_$1_t) - - userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) - - optional_policy(` - udev_read_db(postfix_$1_t) - ') -') - -######################################## -## -## Creates a postfix server process domain. -## -## -## -## Prefix of the domain. -## -## -# -template(`postfix_server_domain_template',` - postfix_domain_template($1) - - type postfix_$1_tmp_t; - files_tmp_file(postfix_$1_tmp_t) - - allow postfix_$1_t self:capability { setuid setgid dac_override }; - allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; - allow postfix_$1_t self:tcp_socket create_socket_perms; - allow postfix_$1_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) - - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) - - corenet_all_recvfrom_unlabeled(postfix_$1_t) - corenet_all_recvfrom_netlabel(postfix_$1_t) - corenet_tcp_sendrecv_generic_if(postfix_$1_t) - corenet_udp_sendrecv_generic_if(postfix_$1_t) - corenet_tcp_sendrecv_generic_node(postfix_$1_t) - corenet_udp_sendrecv_generic_node(postfix_$1_t) - corenet_tcp_sendrecv_all_ports(postfix_$1_t) - corenet_udp_sendrecv_all_ports(postfix_$1_t) - corenet_tcp_bind_generic_node(postfix_$1_t) - corenet_udp_bind_generic_node(postfix_$1_t) - corenet_tcp_connect_all_ports(postfix_$1_t) - corenet_sendrecv_all_client_packets(postfix_$1_t) -') - -######################################## -## -## Creates a process domain for programs -## that are ran by users. -## -## -## -## Prefix of the domain. -## -## -# -template(`postfix_user_domain_template',` - gen_require(` - attribute postfix_user_domains, postfix_user_domtrans; - ') - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_user_domains; - - allow postfix_$1_t self:capability dac_override; - - domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - - domain_use_interactive_fds(postfix_$1_t) -') - -######################################## -## -## Read postfix configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`postfix_read_config',` - gen_require(` - type postfix_etc_t; - ') - - read_files_pattern($1, postfix_etc_t, postfix_etc_t) - read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) - files_search_etc($1) -') - -######################################## -## -## Create files with the specified type in -## the postfix configuration directories. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# -interface(`postfix_config_filetrans',` - gen_require(` - type postfix_etc_t; - ') - - files_search_etc($1) - filetrans_pattern($1, postfix_etc_t, $2, $3) -') - -######################################## -## -## Do not audit attempts to read and -## write postfix local delivery -## TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`postfix_dontaudit_rw_local_tcp_sockets',` - gen_require(` - type postfix_local_t; - ') - - dontaudit $1 postfix_local_t:tcp_socket { read write }; -') - -######################################## -## -## Allow read/write postfix local pipes -## TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_rw_local_pipes',` - gen_require(` - type postfix_local_t; - ') - - allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Allow domain to read postfix local process state -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_read_local_state',` - gen_require(` - type postfix_local_t; - ') - - read_files_pattern($1, postfix_local_t, postfix_local_t) -') - -######################################## -## -## Allow domain to read postfix master process state -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_read_master_state',` - gen_require(` - type postfix_master_t; - ') - - read_files_pattern($1, postfix_master_t, postfix_master_t) -') - -######################################## -## -## Do not audit attempts to use -## postfix master process file -## file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`postfix_dontaudit_use_fds',` - gen_require(` - type postfix_master_t; - ') - - dontaudit $1 postfix_master_t:fd use; -') - -######################################## -## -## Execute postfix_map in the postfix_map domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_map',` - gen_require(` - type postfix_map_t, postfix_map_exec_t; - ') - - domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) -') - -######################################## -## -## Execute postfix_map in the postfix_map domain, and -## allow the specified role the postfix_map domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`postfix_run_map',` - gen_require(` - type postfix_map_t; - ') - - postfix_domtrans_map($1) - role $2 types postfix_map_t; -') - -######################################## -## -## Execute the master postfix program in the -## postfix_master domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_master',` - gen_require(` - type postfix_master_t, postfix_master_exec_t; - ') - - domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) -') - -######################################## -## -## Execute the master postfix program in the -## caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_exec_master',` - gen_require(` - type postfix_master_exec_t; - ') - - can_exec($1, postfix_master_exec_t) -') - -####################################### -## -## Connect to postfix master process using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`postfix_stream_connect_master',` - gen_require(` - type postfix_master_t, postfix_public_t; - ') - - stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) -') - -######################################## -## -## Execute the master postdrop in the -## postfix_postdrop domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_postdrop',` - gen_require(` - type postfix_postdrop_t, postfix_postdrop_exec_t; - ') - - domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) -') - -######################################## -## -## Execute the master postqueue in the -## postfix_postqueue domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_postqueue',` - gen_require(` - type postfix_postqueue_t, postfix_postqueue_exec_t; - ') - - domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) -') - -####################################### -## -## Execute the master postqueue in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`posftix_exec_postqueue',` - gen_require(` - type postfix_postqueue_exec_t; - ') - - can_exec($1, postfix_postqueue_exec_t) -') - -######################################## -## -## Create a named socket in a postfix private directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_create_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - allow $1 postfix_private_t:dir list_dir_perms; - create_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## -## manage named socket in a postfix private directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_manage_private_sockets',` - gen_require(` - type postfix_private_t; - ') - - allow $1 postfix_private_t:dir list_dir_perms; - manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) -') - -######################################## -## -## Execute the master postfix program in the -## postfix_master domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`postfix_domtrans_smtp',` - gen_require(` - type postfix_smtp_t, postfix_smtp_exec_t; - ') - - domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) -') - -######################################## -## -## Search postfix mail spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_search_spool',` - gen_require(` - type postfix_spool_t; - ') - - allow $1 postfix_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## List postfix mail spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_list_spool',` - gen_require(` - type postfix_spool_t; - ') - - allow $1 postfix_spool_t:dir list_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Read postfix mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_read_spool_files',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, postfix_spool_t, postfix_spool_t) -') - -######################################## -## -## Create, read, write, and delete postfix mail spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_manage_spool_files',` - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -') - -######################################## -## -## Execute postfix user mail programs -## in their respective domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`postfix_domtrans_user_mail_handler',` - gen_require(` - attribute postfix_user_domtrans; - ') - - typeattribute $1 postfix_user_domtrans; -') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te deleted file mode 100644 index a1b39a86c..000000000 --- a/policy/modules/services/postfix.te +++ /dev/null @@ -1,632 +0,0 @@ -policy_module(postfix, 1.13.0) - -######################################## -# -# Declarations -# - -attribute postfix_user_domains; -# domains that transition to the -# postfix user domains -attribute postfix_user_domtrans; - -postfix_server_domain_template(bounce) - -type postfix_spool_bounce_t; -files_type(postfix_spool_bounce_t) - -postfix_server_domain_template(cleanup) - -type postfix_etc_t; -files_config_file(postfix_etc_t) - -type postfix_exec_t; -application_executable_file(postfix_exec_t) - -postfix_server_domain_template(local) -mta_mailserver_delivery(postfix_local_t) - -# Program for creating database files -type postfix_map_t; -type postfix_map_exec_t; -application_domain(postfix_map_t, postfix_map_exec_t) -role system_r types postfix_map_t; - -type postfix_map_tmp_t; -files_tmp_file(postfix_map_tmp_t) - -postfix_domain_template(master) -typealias postfix_master_t alias postfix_t; -# alias is a hack to make the disable trans bool -# generation macro work -mta_mailserver(postfix_t, postfix_master_exec_t) - -postfix_server_domain_template(pickup) - -postfix_server_domain_template(pipe) - -postfix_user_domain_template(postdrop) -mta_mailserver_user_agent(postfix_postdrop_t) - -postfix_user_domain_template(postqueue) - -type postfix_private_t; -files_type(postfix_private_t) - -type postfix_prng_t; -files_type(postfix_prng_t) - -postfix_server_domain_template(qmgr) - -postfix_user_domain_template(showq) - -postfix_server_domain_template(smtp) -mta_mailserver_sender(postfix_smtp_t) - -postfix_server_domain_template(smtpd) - -type postfix_spool_t; -files_type(postfix_spool_t) - -type postfix_spool_maildrop_t; -files_type(postfix_spool_maildrop_t) - -type postfix_spool_flush_t; -files_type(postfix_spool_flush_t) - -type postfix_public_t; -files_type(postfix_public_t) - -type postfix_var_run_t; -files_pid_file(postfix_var_run_t) - -# the data_directory config parameter -type postfix_data_t; -files_type(postfix_data_t) - -postfix_server_domain_template(virtual) -mta_mailserver_delivery(postfix_virtual_t) - -######################################## -# -# Postfix master process local policy -# - -# chown is to set the correct ownership of queue dirs -allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -allow postfix_master_t self:fifo_file rw_fifo_file_perms; -allow postfix_master_t self:tcp_socket create_stream_socket_perms; -allow postfix_master_t self:udp_socket create_socket_perms; -allow postfix_master_t self:process setrlimit; - -allow postfix_master_t postfix_etc_t:file rw_file_perms; - -can_exec(postfix_master_t, postfix_exec_t) - -allow postfix_master_t postfix_data_t:dir manage_dir_perms; -allow postfix_master_t postfix_data_t:file manage_file_perms; - -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; - -allow postfix_master_t postfix_postdrop_exec_t:file getattr; - -allow postfix_master_t postfix_postqueue_exec_t:file getattr; - -manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) - -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) - -allow postfix_master_t postfix_prng_t:file rw_file_perms; - -manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) - -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) - -# allow access to deferred queue and allow removing bogus incoming entries -manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) - -allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr; - -manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) - -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -kernel_read_all_sysctls(postfix_master_t) - -corenet_all_recvfrom_unlabeled(postfix_master_t) -corenet_all_recvfrom_netlabel(postfix_master_t) -corenet_tcp_sendrecv_generic_if(postfix_master_t) -corenet_udp_sendrecv_generic_if(postfix_master_t) -corenet_tcp_sendrecv_generic_node(postfix_master_t) -corenet_udp_sendrecv_generic_node(postfix_master_t) -corenet_tcp_sendrecv_all_ports(postfix_master_t) -corenet_udp_sendrecv_all_ports(postfix_master_t) -corenet_tcp_bind_generic_node(postfix_master_t) -corenet_tcp_bind_amavisd_send_port(postfix_master_t) -corenet_tcp_bind_smtp_port(postfix_master_t) -corenet_tcp_connect_all_ports(postfix_master_t) -corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) -corenet_sendrecv_smtp_server_packets(postfix_master_t) -corenet_sendrecv_all_client_packets(postfix_master_t) - -# for a find command -selinux_dontaudit_search_fs(postfix_master_t) - -corecmd_exec_shell(postfix_master_t) -corecmd_exec_bin(postfix_master_t) - -domain_use_interactive_fds(postfix_master_t) - -files_read_usr_files(postfix_master_t) - -term_dontaudit_search_ptys(postfix_master_t) - -miscfiles_read_man_pages(postfix_master_t) - -seutil_sigchld_newrole(postfix_master_t) -# postfix does a "find" on startup for some reason - keep it quiet -seutil_dontaudit_search_config(postfix_master_t) - -mta_rw_aliases(postfix_master_t) -mta_read_sendmail_bin(postfix_master_t) -mta_getattr_spool(postfix_master_t) - -ifdef(`distro_redhat',` - # for newer main.cf that uses /etc/aliases - mta_manage_aliases(postfix_master_t) - mta_etc_filetrans_aliases(postfix_master_t) -') - -optional_policy(` - cyrus_stream_connect(postfix_master_t) -') - -optional_policy(` - kerberos_keytab_template(postfix, postfix_t) -') - -optional_policy(` -# for postalias - mailman_manage_data_files(postfix_master_t) -') - -optional_policy(` - mysql_stream_connect(postfix_master_t) -') - -optional_policy(` - postgrey_search_spool(postfix_master_t) -') - -optional_policy(` - sendmail_signal(postfix_master_t) -') - -######################################## -# -# Postfix bounce local policy -# - -allow postfix_bounce_t self:capability dac_read_search; -allow postfix_bounce_t self:tcp_socket create_socket_perms; - -allow postfix_bounce_t postfix_public_t:sock_file write; -allow postfix_bounce_t postfix_public_t:dir search; - -manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) - -manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) - -######################################## -# -# Postfix cleanup local policy -# - -allow postfix_cleanup_t self:process setrlimit; - -# connect to master process -stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) - -rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) -write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) - -manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) - -allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; - -corecmd_exec_bin(postfix_cleanup_t) - -mta_read_aliases(postfix_cleanup_t) - -optional_policy(` - mailman_read_data_files(postfix_cleanup_t) -') - -######################################## -# -# Postfix local local policy -# - -allow postfix_local_t self:fifo_file rw_fifo_file_perms; -allow postfix_local_t self:process { setsched setrlimit }; - -# connect to master process -stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) - -# for .forward - maybe we need a new type for it? -rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) - -allow postfix_local_t postfix_spool_t:file rw_file_perms; - -corecmd_exec_shell(postfix_local_t) -corecmd_exec_bin(postfix_local_t) - -files_read_etc_files(postfix_local_t) - -logging_dontaudit_search_logs(postfix_local_t) - -mta_read_aliases(postfix_local_t) -mta_delete_spool(postfix_local_t) -# For reading spamassasin -mta_read_config(postfix_local_t) - -domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) -# Might be a leak, but I need a postfix expert to explain -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; - -optional_policy(` - clamav_search_lib(postfix_local_t) - clamav_exec_clamscan(postfix_local_t) -') - -optional_policy(` -# for postalias - mailman_manage_data_files(postfix_local_t) - mailman_append_log(postfix_local_t) - mailman_read_log(postfix_local_t) -') - -optional_policy(` - procmail_domtrans(postfix_local_t) -') - -######################################## -# -# Postfix map local policy -# -allow postfix_map_t self:capability { dac_override setgid setuid }; -allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; -allow postfix_map_t self:unix_dgram_socket create_socket_perms; -allow postfix_map_t self:tcp_socket create_stream_socket_perms; -allow postfix_map_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) -manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) -manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) - -manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(postfix_map_t) -kernel_dontaudit_list_proc(postfix_map_t) -kernel_dontaudit_read_system_state(postfix_map_t) - -corenet_all_recvfrom_unlabeled(postfix_map_t) -corenet_all_recvfrom_netlabel(postfix_map_t) -corenet_tcp_sendrecv_generic_if(postfix_map_t) -corenet_udp_sendrecv_generic_if(postfix_map_t) -corenet_tcp_sendrecv_generic_node(postfix_map_t) -corenet_udp_sendrecv_generic_node(postfix_map_t) -corenet_tcp_sendrecv_all_ports(postfix_map_t) -corenet_udp_sendrecv_all_ports(postfix_map_t) -corenet_tcp_connect_all_ports(postfix_map_t) -corenet_sendrecv_all_client_packets(postfix_map_t) - -corecmd_list_bin(postfix_map_t) -corecmd_read_bin_symlinks(postfix_map_t) -corecmd_read_bin_files(postfix_map_t) -corecmd_read_bin_pipes(postfix_map_t) -corecmd_read_bin_sockets(postfix_map_t) - -files_list_home(postfix_map_t) -files_read_usr_files(postfix_map_t) -files_read_etc_files(postfix_map_t) -files_read_etc_runtime_files(postfix_map_t) -files_dontaudit_search_var(postfix_map_t) - -auth_use_nsswitch(postfix_map_t) - -logging_send_syslog_msg(postfix_map_t) - -miscfiles_read_localization(postfix_map_t) - -optional_policy(` - locallogin_dontaudit_use_fds(postfix_map_t) -') - -optional_policy(` -# for postalias - mailman_manage_data_files(postfix_map_t) -') - -######################################## -# -# Postfix pickup local policy -# - -allow postfix_pickup_t self:tcp_socket create_socket_perms; - -stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) - -rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) - -postfix_list_spool(postfix_pickup_t) - -allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; -read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -######################################## -# -# Postfix pipe local policy -# - -allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; -allow postfix_pipe_t self:process setrlimit; - -write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) - -write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) - -rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) - -domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) - -optional_policy(` - dovecot_domtrans_deliver(postfix_pipe_t) -') - -optional_policy(` - procmail_domtrans(postfix_pipe_t) -') - -optional_policy(` - mailman_domtrans_queue(postfix_pipe_t) -') - -optional_policy(` - mta_manage_spool(postfix_pipe_t) - mta_send_mail(postfix_pipe_t) -') - -optional_policy(` - spamassassin_domtrans_client(postfix_pipe_t) -') - -optional_policy(` - uucp_domtrans_uux(postfix_pipe_t) -') - -######################################## -# -# Postfix postdrop local policy -# - -# usually it does not need a UDP socket -allow postfix_postdrop_t self:capability sys_resource; -allow postfix_postdrop_t self:tcp_socket create; -allow postfix_postdrop_t self:udp_socket create_socket_perms; - -rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) - -postfix_list_spool(postfix_postdrop_t) -manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -corenet_udp_sendrecv_generic_if(postfix_postdrop_t) -corenet_udp_sendrecv_generic_node(postfix_postdrop_t) - -term_dontaudit_use_all_ptys(postfix_postdrop_t) -term_dontaudit_use_all_ttys(postfix_postdrop_t) - -mta_rw_user_mail_stream_sockets(postfix_postdrop_t) - -optional_policy(` - apache_dontaudit_rw_fifo_file(postfix_postdrop_t) -') - -optional_policy(` - cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) -') - -# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 -optional_policy(` - fstools_read_pipes(postfix_postdrop_t) -') - -optional_policy(` - sendmail_rw_unix_stream_sockets(postfix_postdrop_t) -') - -optional_policy(` - uucp_manage_spool(postfix_postdrop_t) -') - -####################################### -# -# Postfix postqueue local policy -# - -allow postfix_postqueue_t self:tcp_socket create; -allow postfix_postqueue_t self:udp_socket { create ioctl }; - -# wants to write to /var/spool/postfix/public/showq -stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) - -# write to /var/spool/postfix/public/qmgr -write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) - -domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) - -# to write the mailq output, it really should not need read access! -term_use_all_ptys(postfix_postqueue_t) -term_use_all_ttys(postfix_postqueue_t) - -init_sigchld_script(postfix_postqueue_t) -init_use_script_fds(postfix_postqueue_t) - -optional_policy(` - cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) -') - -optional_policy(` - ppp_use_fds(postfix_postqueue_t) - ppp_sigchld(postfix_postqueue_t) -') - -######################################## -# -# Postfix qmgr local policy -# - -stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) - -# for /var/spool/postfix/active -manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) -files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) - -allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; - -corecmd_exec_bin(postfix_qmgr_t) - -######################################## -# -# Postfix showq local policy -# - -allow postfix_showq_t self:capability { setuid setgid }; -allow postfix_showq_t self:tcp_socket create_socket_perms; - -allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; - -allow postfix_showq_t postfix_spool_t:file read_file_perms; - -postfix_list_spool(postfix_showq_t) - -allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; -allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; -allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; - -# to write the mailq output, it really should not need read access! -term_use_all_ptys(postfix_showq_t) -term_use_all_ttys(postfix_showq_t) - -######################################## -# -# Postfix smtp delivery local policy -# - -# connect to master process -allow postfix_smtp_t self:capability sys_chroot; -stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -allow postfix_smtp_t postfix_prng_t:file rw_file_perms; - -allow postfix_smtp_t postfix_spool_t:file rw_file_perms; - -files_search_all_mountpoints(postfix_smtp_t) - -optional_policy(` - cyrus_stream_connect(postfix_smtp_t) -') - -optional_policy(` - milter_stream_connect_all(postfix_smtp_t) -') - -######################################## -# -# Postfix smtpd local policy -# -allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; - -# connect to master process -stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -# Connect to policy server -corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) - -# for prng_exch -allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; -allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; - -corecmd_exec_bin(postfix_smtpd_t) - -# for OpenSSL certificates -files_read_usr_files(postfix_smtpd_t) -mta_read_aliases(postfix_smtpd_t) - -optional_policy(` - dovecot_stream_connect_auth(postfix_smtpd_t) -') - -optional_policy(` - mailman_read_data_files(postfix_smtpd_t) -') - -optional_policy(` - postgrey_stream_connect(postfix_smtpd_t) -') - -optional_policy(` - sasl_connect(postfix_smtpd_t) -') - -######################################## -# -# Postfix virtual local policy -# - -allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; -allow postfix_virtual_t self:process { setsched setrlimit }; - -allow postfix_virtual_t postfix_spool_t:file rw_file_perms; - -# connect to master process -stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -corecmd_exec_shell(postfix_virtual_t) -corecmd_exec_bin(postfix_virtual_t) - -files_read_etc_files(postfix_virtual_t) -files_read_usr_files(postfix_virtual_t) - -mta_read_aliases(postfix_virtual_t) -mta_delete_spool(postfix_virtual_t) -# For reading spamassasin -mta_read_config(postfix_virtual_t) -mta_manage_spool(postfix_virtual_t) diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc deleted file mode 100644 index 4361cb67e..000000000 --- a/policy/modules/services/postfixpolicyd.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0) -/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0) - -/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) - -/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if deleted file mode 100644 index feae93b0c..000000000 --- a/policy/modules/services/postfixpolicyd.if +++ /dev/null @@ -1,40 +0,0 @@ -## Postfix policy server - -######################################## -## -## All of the rules required to administrate -## an postfixpolicyd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the postfixpolicyd domain. -## -## -## -# -interface(`postfixpolicyd_admin',` - gen_require(` - type postfix_policyd_t, postfix_policyd_conf_t; - type postfix_policyd_var_run_t; - type postfix_policyd_initrc_exec_t; - ') - - allow $1 postfix_policyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_policyd_t) - - init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postfix_policyd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, postfix_policyd_conf_t) - - files_list_pids($1) - admin_pattern($1, postfix_policyd_var_run_t) -') diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te deleted file mode 100644 index 725752683..000000000 --- a/policy/modules/services/postfixpolicyd.te +++ /dev/null @@ -1,53 +0,0 @@ -policy_module(postfixpolicyd, 1.2.0) - -######################################## -# -# Declarations -# - -type postfix_policyd_t; -type postfix_policyd_exec_t; -init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t) - -type postfix_policyd_conf_t; -files_config_file(postfix_policyd_conf_t) - -type postfix_policyd_initrc_exec_t; -init_script_file(postfix_policyd_initrc_exec_t) - -type postfix_policyd_var_run_t; -files_pid_file(postfix_policyd_var_run_t) - -######################################## -# -# Local Policy -# - -allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; -allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; -allow postfix_policyd_t self:process setrlimit; -allow postfix_policyd_t self:unix_dgram_socket { connect create write}; - -allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; -allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; -allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read }; - -manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) -files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) - -corenet_all_recvfrom_unlabeled(postfix_policyd_t) -corenet_tcp_sendrecv_generic_if(postfix_policyd_t) -corenet_tcp_sendrecv_generic_node(postfix_policyd_t) -corenet_tcp_sendrecv_all_ports(postfix_policyd_t) -corenet_tcp_bind_generic_node(postfix_policyd_t) -corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t) -corenet_tcp_bind_mysqld_port(postfix_policyd_t) - -files_read_etc_files(postfix_policyd_t) -files_read_usr_files(postfix_policyd_t) - -logging_send_syslog_msg(postfix_policyd_t) - -miscfiles_read_localization(postfix_policyd_t) - -sysnet_dns_name_resolve(postfix_policyd_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 4115b3fe9..75dc6988b 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -333,7 +333,9 @@ userdom_dontaudit_use_unpriv_user_fds(postgresql_t) userdom_dontaudit_search_user_home_dirs(postgresql_t) userdom_dontaudit_use_user_terminals(postgresql_t) -mta_getattr_spool(postgresql_t) +optional_policy(` + mta_getattr_spool(postgresql_t) +') tunable_policy(`allow_execmem',` allow postgresql_t self:process execmem; diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc deleted file mode 100644 index e731841c3..000000000 --- a/policy/modules/services/postgrey.fc +++ /dev/null @@ -1,12 +0,0 @@ - -/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) -/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0) - -/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) - -/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) - -/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) -/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) - -/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if deleted file mode 100644 index ad15fde7b..000000000 --- a/policy/modules/services/postgrey.if +++ /dev/null @@ -1,81 +0,0 @@ -## Postfix grey-listing server - -######################################## -## -## Write to postgrey socket -## -## -## -## Domain allowed access. -## -## -# -interface(`postgrey_stream_connect',` - gen_require(` - type postgrey_var_run_t, postgrey_t, postgrey_spool_t; - ') - - stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t) - stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t) - files_search_pids($1) -') - -######################################## -## -## Search the spool directory -## -## -## -## Domain allowed access. -## -## -# -interface(`postgrey_search_spool',` - gen_require(` - type postgrey_spool_t; - ') - - allow $1 postgrey_spool_t:dir search_dir_perms; -') - -######################################## -## -## All of the rules required to administrate -## an postgrey environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the postgrey domain. -## -## -## -# -interface(`postgrey_admin',` - gen_require(` - type postgrey_t, postgrey_etc_t; - type postgrey_var_lib_t, postgrey_var_run_t; - type postgrey_initrc_exec_t; - ') - - allow $1 postgrey_t:process { ptrace signal_perms }; - ps_process_pattern($1, postgrey_t) - - init_labeled_script_domtrans($1, postgrey_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgrey_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, postgrey_etc_t) - - files_list_var_lib($1) - admin_pattern($1, postgrey_var_lib_t) - - files_list_pids($1) - admin_pattern($1, postgrey_var_run_t) -') diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te deleted file mode 100644 index db843e2c2..000000000 --- a/policy/modules/services/postgrey.te +++ /dev/null @@ -1,107 +0,0 @@ -policy_module(postgrey, 1.8.0) - -######################################## -# -# Declarations -# - -type postgrey_t; -type postgrey_exec_t; -init_daemon_domain(postgrey_t, postgrey_exec_t) - -type postgrey_etc_t; -files_config_file(postgrey_etc_t) - -type postgrey_initrc_exec_t; -init_script_file(postgrey_initrc_exec_t) - -type postgrey_spool_t; -files_type(postgrey_spool_t) - -type postgrey_var_lib_t; -files_type(postgrey_var_lib_t) - -type postgrey_var_run_t; -files_pid_file(postgrey_var_run_t) - -######################################## -# -# Local policy -# - -allow postgrey_t self:capability { chown dac_override setgid setuid }; -dontaudit postgrey_t self:capability sys_tty_config; -allow postgrey_t self:process signal_perms; -allow postgrey_t self:tcp_socket create_stream_socket_perms; -allow postgrey_t self:fifo_file create_fifo_file_perms; - -allow postgrey_t postgrey_etc_t:dir list_dir_perms; -read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) -read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) - -manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) - -manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) -files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) - -manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) - -kernel_read_system_state(postgrey_t) -kernel_read_kernel_sysctls(postgrey_t) - -# for perl -corecmd_search_bin(postgrey_t) - -corenet_all_recvfrom_unlabeled(postgrey_t) -corenet_all_recvfrom_netlabel(postgrey_t) -corenet_tcp_sendrecv_generic_if(postgrey_t) -corenet_tcp_sendrecv_generic_node(postgrey_t) -corenet_tcp_sendrecv_all_ports(postgrey_t) -corenet_tcp_bind_generic_node(postgrey_t) -corenet_tcp_bind_postgrey_port(postgrey_t) -corenet_sendrecv_postgrey_server_packets(postgrey_t) - -dev_read_urand(postgrey_t) -dev_read_sysfs(postgrey_t) - -domain_use_interactive_fds(postgrey_t) - -files_read_etc_files(postgrey_t) -files_read_etc_runtime_files(postgrey_t) -files_read_usr_files(postgrey_t) -files_getattr_tmp_dirs(postgrey_t) - -fs_getattr_all_fs(postgrey_t) -fs_search_auto_mountpoints(postgrey_t) - -logging_send_syslog_msg(postgrey_t) - -miscfiles_read_localization(postgrey_t) - -sysnet_read_config(postgrey_t) - -userdom_dontaudit_use_unpriv_user_fds(postgrey_t) -userdom_dontaudit_search_user_home_dirs(postgrey_t) - -optional_policy(` - nis_use_ypbind(postgrey_t) -') - -optional_policy(` - postfix_read_config(postgrey_t) - postfix_manage_spool_files(postgrey_t) -') - -optional_policy(` - seutil_sigchld_newrole(postgrey_t) -') - -optional_policy(` - udev_read_db(postgrey_t) -') diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc deleted file mode 100644 index 2d82c6d00..000000000 --- a/policy/modules/services/ppp.fc +++ /dev/null @@ -1,38 +0,0 @@ -# -# /etc -# -/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - -/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) -/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) -/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -# Fix /etc/ppp {up,down} family scripts (see man pppd) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - -/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) - -# -# /sbin -# -/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) - -# -# /usr -# -/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) -/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) - -# -# /var -# -/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) -# Fix pptp sockets -/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) - -/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) -/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if deleted file mode 100644 index b52467324..000000000 --- a/policy/modules/services/ppp.if +++ /dev/null @@ -1,395 +0,0 @@ -## Point to Point Protocol daemon creates links in ppp networks - -######################################## -## -## Use PPP file discriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_use_fds',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit -## and use PPP file discriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`ppp_dontaudit_use_fds',` - gen_require(` - type pppd_t; - ') - - dontaudit $1 pppd_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to PPP. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_sigchld',` - gen_require(` - type pppd_t; - - ') - - allow $1 pppd_t:process sigchld; -') - -######################################## -## -## Send ppp a kill signal -## -## -## -## Domain allowed access. -## -## -# -# -interface(`ppp_kill',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process sigkill; -') - -######################################## -## -## Send a generic signal to PPP. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_signal',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signal; -') - -######################################## -## -## Send a generic signull to PPP. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_signull',` - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signull; -') - -######################################## -## -## Execute domain in the ppp domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ppp_domtrans',` - gen_require(` - type pppd_t, pppd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pppd_exec_t, pppd_t) -') - -######################################## -## -## Conditionally execute ppp daemon on behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ppp domain. -## -## -## -# -interface(`ppp_run_cond',` - gen_require(` - type pppd_t; - ') - - role $2 types pppd_t; - - tunable_policy(`pppd_for_user',` - ppp_domtrans($1) - ') -') - -######################################## -## -## Unconditionally execute ppp daemon on behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ppp domain. -## -## -## -# -interface(`ppp_run',` - gen_require(` - type pppd_t, pptp_t; - ') - - ppp_domtrans($1) - role $2 types pppd_t; - role $2 types pptp_t; - - optional_policy(` - ddclient_run(pppd_t, $2) - ') -') - -######################################## -## -## Execute domain in the ppp caller. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_exec',` - gen_require(` - type pppd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pppd_exec_t) -') - -######################################## -## -## Read ppp configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_config',` - gen_require(` - type pppd_etc_t; - ') - - read_files_pattern($1, pppd_etc_t, pppd_etc_t) - files_search_etc($1) -') - -######################################## -## -## Read PPP-writable configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_rw_config',` - gen_require(` - type pppd_etc_t, pppd_etc_rw_t; - ') - - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_etc_rw_t:file read_file_perms; - files_search_etc($1) -') - -######################################## -## -## Read PPP secrets. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_secrets',` - gen_require(` - type pppd_etc_t, pppd_secret_t; - ') - - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_secret_t:file read_file_perms; - files_search_etc($1) -') - -######################################## -## -## Read PPP pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_read_pid_files',` - gen_require(` - type pppd_var_run_t; - ') - - allow $1 pppd_var_run_t:file read_file_perms; -') - -######################################## -## -## Create, read, write, and delete PPP pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_manage_pid_files',` - gen_require(` - type pppd_var_run_t; - ') - - allow $1 pppd_var_run_t:file manage_file_perms; -') - -######################################## -## -## Create, read, write, and delete PPP pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ppp_pid_filetrans',` - gen_require(` - type pppd_var_run_t; - ') - - files_pid_filetrans($1, pppd_var_run_t, file) -') - -######################################## -## -## Execute ppp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ppp_initrc_domtrans',` - gen_require(` - type pppd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, pppd_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an ppp environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ppp_admin',` - gen_require(` - type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_secret_t; - type pppd_etc_rw_t, pppd_var_run_t; - - type pptp_t, pptp_log_t, pptp_var_run_t; - type pppd_initrc_exec_t; - ') - - allow $1 pppd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, pppd_t) - - ppp_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pppd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, pppd_tmp_t) - - logging_list_logs($1) - admin_pattern($1, pppd_log_t) - - admin_pattern($1, pppd_lock_t) - - files_list_etc($1) - admin_pattern($1, pppd_etc_t) - - admin_pattern($1, pppd_etc_rw_t) - - admin_pattern($1, pppd_secret_t) - - files_list_pids($1) - admin_pattern($1, pppd_var_run_t) - - allow $1 pptp_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, pptp_t) - - admin_pattern($1, pptp_log_t) - - admin_pattern($1, pptp_var_run_t) -') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te deleted file mode 100644 index a2d43a9fb..000000000 --- a/policy/modules/services/ppp.te +++ /dev/null @@ -1,326 +0,0 @@ -policy_module(ppp, 1.12.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow pppd to load kernel modules for certain modems -##

-## -gen_bool(pppd_can_insmod, false) - -## -##

-## Allow pppd to be run for a regular user -##

-## -gen_tunable(pppd_for_user, false) - -# pppd_t is the domain for the pppd program. -# pppd_exec_t is the type of the pppd executable. -type pppd_t; -type pppd_exec_t; -init_daemon_domain(pppd_t, pppd_exec_t) - -type pppd_devpts_t; -term_pty(pppd_devpts_t) - -# Define a separate type for /etc/ppp -type pppd_etc_t; -files_config_file(pppd_etc_t) - -# Define a separate type for writable files under /etc/ppp -type pppd_etc_rw_t; -files_type(pppd_etc_rw_t) - -type pppd_initrc_exec_t alias pppd_script_exec_t; -init_script_file(pppd_initrc_exec_t) - -# pppd_secret_t is the type of the pap and chap password files -type pppd_secret_t; -files_type(pppd_secret_t) - -type pppd_log_t; -logging_log_file(pppd_log_t) - -type pppd_lock_t; -files_lock_file(pppd_lock_t) - -type pppd_tmp_t; -files_tmp_file(pppd_tmp_t) - -type pppd_var_run_t; -files_pid_file(pppd_var_run_t) - -type pptp_t; -type pptp_exec_t; -init_daemon_domain(pptp_t, pptp_exec_t) - -type pptp_log_t; -logging_log_file(pptp_log_t) - -type pptp_var_run_t; -files_pid_file(pptp_var_run_t) - -######################################## -# -# PPPD Local policy -# - -allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; -dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched signal }; -allow pppd_t self:fifo_file rw_fifo_file_perms; -allow pppd_t self:socket create_socket_perms; -allow pppd_t self:unix_dgram_socket create_socket_perms; -allow pppd_t self:unix_stream_socket create_socket_perms; -allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; -allow pppd_t self:tcp_socket create_stream_socket_perms; -allow pppd_t self:udp_socket { connect connected_socket_perms }; -allow pppd_t self:packet_socket create_socket_perms; - -domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) - -allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; - -allow pppd_t pppd_etc_t:dir rw_dir_perms; -allow pppd_t pppd_etc_t:file read_file_perms; -allow pppd_t pppd_etc_t:lnk_file { getattr read }; - -manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) -# Automatically label newly created files under /etc/ppp with this type -filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - -allow pppd_t pppd_lock_t:file manage_file_perms; -files_lock_filetrans(pppd_t, pppd_lock_t, file) - -allow pppd_t pppd_log_t:file manage_file_perms; -logging_log_filetrans(pppd_t, pppd_log_t, file) - -manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) -manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) -files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) - -manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -files_pid_filetrans(pppd_t, pppd_var_run_t, file) - -allow pppd_t pptp_t:process signal; - -# for SSP -# Access secret files -allow pppd_t pppd_secret_t:file read_file_perms; - -ppp_initrc_domtrans(pppd_t) - -kernel_read_kernel_sysctls(pppd_t) -kernel_read_system_state(pppd_t) -kernel_rw_net_sysctls(pppd_t) -kernel_read_network_state(pppd_t) -kernel_request_load_module(pppd_t) - -dev_read_urand(pppd_t) -dev_search_sysfs(pppd_t) -dev_read_sysfs(pppd_t) -dev_rw_modem(pppd_t) - -corenet_all_recvfrom_unlabeled(pppd_t) -corenet_all_recvfrom_netlabel(pppd_t) -corenet_tcp_sendrecv_generic_if(pppd_t) -corenet_raw_sendrecv_generic_if(pppd_t) -corenet_udp_sendrecv_generic_if(pppd_t) -corenet_tcp_sendrecv_generic_node(pppd_t) -corenet_raw_sendrecv_generic_node(pppd_t) -corenet_udp_sendrecv_generic_node(pppd_t) -corenet_tcp_sendrecv_all_ports(pppd_t) -corenet_udp_sendrecv_all_ports(pppd_t) -# Access /dev/ppp. -corenet_rw_ppp_dev(pppd_t) - -fs_getattr_all_fs(pppd_t) -fs_search_auto_mountpoints(pppd_t) - -term_use_unallocated_ttys(pppd_t) -term_setattr_unallocated_ttys(pppd_t) -term_ioctl_generic_ptys(pppd_t) -# for pppoe -term_create_pty(pppd_t, pppd_devpts_t) - -# allow running ip-up and ip-down scripts and running chat. -corecmd_exec_bin(pppd_t) -corecmd_exec_shell(pppd_t) - -domain_use_interactive_fds(pppd_t) - -files_exec_etc_files(pppd_t) -files_manage_etc_runtime_files(pppd_t) -files_dontaudit_write_etc_files(pppd_t) - -# for scripts -files_read_etc_files(pppd_t) - -init_read_utmp(pppd_t) -init_dontaudit_write_utmp(pppd_t) -init_signal_script(pppd_t) - -auth_use_nsswitch(pppd_t) - -logging_send_syslog_msg(pppd_t) -logging_send_audit_msgs(pppd_t) - -miscfiles_read_localization(pppd_t) - -sysnet_exec_ifconfig(pppd_t) -sysnet_manage_config(pppd_t) -sysnet_etc_filetrans_config(pppd_t) - -userdom_use_user_terminals(pppd_t) -userdom_dontaudit_use_unpriv_user_fds(pppd_t) -userdom_search_user_home_dirs(pppd_t) - -ppp_exec(pppd_t) - -optional_policy(` - ddclient_domtrans(pppd_t) -') - -optional_policy(` - # The toolchain does not support nested conditionals - gen_require(` - bool secure_mode_insmod; - ') - - if (pppd_can_insmod && ! secure_mode_insmod) { - modutils_domtrans_insmod_uncond(pppd_t) - } -') - -optional_policy(` - mta_send_mail(pppd_t) -') - -optional_policy(` - networkmanager_signal(pppd_t) -') - -optional_policy(` - postfix_domtrans_master(pppd_t) -') - -optional_policy(` - seutil_sigchld_newrole(pppd_t) -') - -optional_policy(` - udev_read_db(pppd_t) -') - -######################################## -# -# PPTP Local policy -# - -allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; -dontaudit pptp_t self:capability sys_tty_config; -allow pptp_t self:process signal; -allow pptp_t self:fifo_file rw_fifo_file_perms; -allow pptp_t self:unix_dgram_socket create_socket_perms; -allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow pptp_t self:rawip_socket create_socket_perms; -allow pptp_t self:tcp_socket create_socket_perms; -allow pptp_t self:udp_socket create_socket_perms; -allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; - -allow pptp_t pppd_etc_t:dir list_dir_perms; -allow pptp_t pppd_etc_t:file read_file_perms; -allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; - -allow pptp_t pppd_etc_rw_t:dir list_dir_perms; -allow pptp_t pppd_etc_rw_t:file read_file_perms; -allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; -can_exec(pptp_t, pppd_etc_rw_t) - -# Allow pptp to append to pppd log files -allow pptp_t pppd_log_t:file append_file_perms; - -allow pptp_t pptp_log_t:file manage_file_perms; -logging_log_filetrans(pptp_t, pptp_log_t, file) - -manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -files_pid_filetrans(pptp_t, pptp_var_run_t, file) - -kernel_list_proc(pptp_t) -kernel_read_kernel_sysctls(pptp_t) -kernel_read_proc_symlinks(pptp_t) -kernel_read_system_state(pptp_t) - -dev_read_sysfs(pptp_t) - -corecmd_exec_shell(pptp_t) -corecmd_read_bin_symlinks(pptp_t) - -corenet_all_recvfrom_unlabeled(pptp_t) -corenet_all_recvfrom_netlabel(pptp_t) -corenet_tcp_sendrecv_generic_if(pptp_t) -corenet_raw_sendrecv_generic_if(pptp_t) -corenet_tcp_sendrecv_generic_node(pptp_t) -corenet_raw_sendrecv_generic_node(pptp_t) -corenet_tcp_sendrecv_all_ports(pptp_t) -corenet_tcp_bind_generic_node(pptp_t) -corenet_tcp_connect_generic_port(pptp_t) -corenet_tcp_connect_all_reserved_ports(pptp_t) -corenet_sendrecv_generic_client_packets(pptp_t) - -files_read_etc_files(pptp_t) - -fs_getattr_all_fs(pptp_t) -fs_search_auto_mountpoints(pptp_t) - -term_ioctl_generic_ptys(pptp_t) -term_search_ptys(pptp_t) -term_use_ptmx(pptp_t) - -domain_use_interactive_fds(pptp_t) - -auth_use_nsswitch(pptp_t) - -logging_send_syslog_msg(pptp_t) - -miscfiles_read_localization(pptp_t) - -sysnet_exec_ifconfig(pptp_t) - -userdom_dontaudit_use_unpriv_user_fds(pptp_t) -userdom_dontaudit_search_user_home_dirs(pptp_t) -userdom_signal_unpriv_users(pptp_t) - -optional_policy(` - consoletype_exec(pppd_t) -') - -optional_policy(` - dbus_system_domain(pppd_t, pppd_exec_t) - - optional_policy(` - networkmanager_dbus_chat(pppd_t) - ') -') - -optional_policy(` - hostname_exec(pptp_t) -') - -optional_policy(` - seutil_sigchld_newrole(pptp_t) -') - -optional_policy(` - udev_read_db(pptp_t) -') - -optional_policy(` - postfix_read_config(pppd_t) -') diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc deleted file mode 100644 index 3bd847aff..000000000 --- a/policy/modules/services/prelude.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) -/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) -/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) - -/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - -/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) -/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) -/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) -/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) - -/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) -/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) -/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) -/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) -/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if deleted file mode 100644 index 23166537b..000000000 --- a/policy/modules/services/prelude.if +++ /dev/null @@ -1,144 +0,0 @@ -## Prelude hybrid intrusion detection system - -######################################## -## -## Execute a domain transition to run prelude. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`prelude_domtrans',` - gen_require(` - type prelude_t, prelude_exec_t; - ') - - domtrans_pattern($1, prelude_exec_t, prelude_t) -') - -######################################## -## -## Execute a domain transition to run prelude_audisp. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`prelude_domtrans_audisp',` - gen_require(` - type prelude_audisp_t, prelude_audisp_exec_t; - ') - - domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) -') - -######################################## -## -## Signal the prelude_audisp domain. -## -## -## -## Domain allowed acccess. -## -## -# -interface(`prelude_signal_audisp',` - gen_require(` - type prelude_audisp_t; - ') - - allow $1 prelude_audisp_t:process signal; -') - -######################################## -## -## Read the prelude spool files -## -## -## -## Domain allowed access. -## -## -# -interface(`prelude_read_spool',` - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, prelude_spool_t, prelude_spool_t) -') - -######################################## -## -## Manage to prelude-manager spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`prelude_manage_spool',` - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) - manage_files_pattern($1, prelude_spool_t, prelude_spool_t) -') - -######################################## -## -## All of the rules required to administrate -## an prelude environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`prelude_admin',` - gen_require(` - type prelude_t, prelude_spool_t; - type prelude_var_run_t, prelude_var_lib_t; - type prelude_audisp_t, prelude_audisp_var_run_t; - type prelude_initrc_exec_t; - - type prelude_lml_t, prelude_lml_tmp_t; - type prelude_lml_var_run_t; - ') - - allow $1 prelude_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_t) - - allow $1 prelude_audisp_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_audisp_t) - - allow $1 prelude_lml_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_lml_t) - - init_labeled_script_domtrans($1, prelude_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 prelude_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, prelude_spool_t) - admin_pattern($1, prelude_var_lib_t) - admin_pattern($1, prelude_var_run_t) - admin_pattern($1, prelude_audisp_var_run_t) - admin_pattern($1, prelude_lml_tmp_t) - admin_pattern($1, prelude_lml_var_run_t) -') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te deleted file mode 100644 index b1bc02c75..000000000 --- a/policy/modules/services/prelude.te +++ /dev/null @@ -1,308 +0,0 @@ -policy_module(prelude, 1.3.0) - -######################################## -# -# Declarations -# - -type prelude_t; -type prelude_exec_t; -init_daemon_domain(prelude_t, prelude_exec_t) - -type prelude_initrc_exec_t; -init_script_file(prelude_initrc_exec_t) - -type prelude_spool_t; -files_type(prelude_spool_t) - -type prelude_log_t; -logging_log_file(prelude_log_t) - -type prelude_var_run_t; -files_pid_file(prelude_var_run_t) - -type prelude_var_lib_t; -files_type(prelude_var_lib_t) - -type prelude_audisp_t; -type prelude_audisp_exec_t; -init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) -logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) - -type prelude_audisp_var_run_t; -files_pid_file(prelude_audisp_var_run_t) - -type prelude_correlator_t; -type prelude_correlator_exec_t; -init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) -role system_r types prelude_correlator_t; - -type prelude_correlator_config_t; -files_config_file(prelude_correlator_config_t) - -type prelude_lml_t; -type prelude_lml_exec_t; -init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) - -type prelude_lml_tmp_t; -files_tmp_file(prelude_lml_tmp_t) - -type prelude_lml_var_run_t; -files_pid_file(prelude_lml_var_run_t) - -######################################## -# -# prelude local policy -# - -allow prelude_t self:capability { dac_override sys_tty_config }; -allow prelude_t self:fifo_file rw_file_perms; -allow prelude_t self:unix_stream_socket create_stream_socket_perms; -allow prelude_t self:netlink_route_socket r_netlink_socket_perms; -allow prelude_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) -logging_log_filetrans(prelude_t, prelude_log_t, file) - -manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) -files_search_spool(prelude_t) - -manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) -manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) -files_search_var_lib(prelude_t) - -manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) - -kernel_read_system_state(prelude_t) -kernel_read_sysctl(prelude_t) - -corecmd_search_bin(prelude_t) - -corenet_all_recvfrom_unlabeled(prelude_t) -corenet_all_recvfrom_netlabel(prelude_t) -corenet_tcp_sendrecv_generic_if(prelude_t) -corenet_tcp_sendrecv_generic_node(prelude_t) -corenet_tcp_bind_generic_node(prelude_t) -corenet_tcp_bind_prelude_port(prelude_t) -corenet_tcp_connect_prelude_port(prelude_t) -corenet_tcp_connect_postgresql_port(prelude_t) -corenet_tcp_connect_mysqld_port(prelude_t) - -dev_read_rand(prelude_t) -dev_read_urand(prelude_t) - -files_read_etc_files(prelude_t) -files_read_etc_runtime_files(prelude_t) -files_read_usr_files(prelude_t) -files_search_tmp(prelude_t) - -fs_rw_anon_inodefs_files(prelude_t) - -auth_use_nsswitch(prelude_t) - -logging_send_audit_msgs(prelude_t) -logging_send_syslog_msg(prelude_t) - -miscfiles_read_localization(prelude_t) - -optional_policy(` - mysql_search_db(prelude_t) - mysql_stream_connect(prelude_t) -') - -optional_policy(` - postgresql_stream_connect(prelude_t) -') - -######################################## -# -# prelude_audisp local policy -# - -allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; -allow prelude_audisp_t self:process { getcap setcap }; -allow prelude_audisp_t self:fifo_file rw_file_perms; -allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; -allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms; -allow prelude_audisp_t self:tcp_socket create_socket_perms; - -manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) -files_search_spool(prelude_audisp_t) - -manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) -files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) - -kernel_read_sysctl(prelude_audisp_t) -kernel_read_system_state(prelude_audisp_t) - -corecmd_search_bin(prelude_audisp_t) - -corenet_all_recvfrom_unlabeled(prelude_audisp_t) -corenet_all_recvfrom_netlabel(prelude_audisp_t) -corenet_tcp_sendrecv_generic_if(prelude_audisp_t) -corenet_tcp_sendrecv_generic_node(prelude_audisp_t) -corenet_tcp_bind_generic_node(prelude_audisp_t) -corenet_tcp_connect_prelude_port(prelude_audisp_t) - -dev_read_rand(prelude_audisp_t) -dev_read_urand(prelude_audisp_t) - -# Init script handling -domain_use_interactive_fds(prelude_audisp_t) - -files_read_etc_files(prelude_audisp_t) -files_read_etc_runtime_files(prelude_audisp_t) -files_search_tmp(prelude_audisp_t) - -logging_send_syslog_msg(prelude_audisp_t) - -miscfiles_read_localization(prelude_audisp_t) - -sysnet_dns_name_resolve(prelude_audisp_t) - -######################################## -# -# prelude_correlator local policy -# - -allow prelude_correlator_t self:capability dac_override; -allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; -allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; -allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; - -allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; -read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) - -kernel_read_sysctl(prelude_correlator_t) - -corecmd_search_bin(prelude_correlator_t) - -corenet_all_recvfrom_unlabeled(prelude_correlator_t) -corenet_all_recvfrom_netlabel(prelude_correlator_t) -corenet_tcp_sendrecv_generic_if(prelude_correlator_t) -corenet_tcp_sendrecv_generic_node(prelude_correlator_t) -corenet_tcp_connect_prelude_port(prelude_correlator_t) - -dev_read_rand(prelude_correlator_t) -dev_read_urand(prelude_correlator_t) - -files_read_etc_files(prelude_correlator_t) -files_read_usr_files(prelude_correlator_t) -files_search_spool(prelude_correlator_t) - -logging_send_syslog_msg(prelude_correlator_t) - -miscfiles_read_localization(prelude_correlator_t) - -sysnet_dns_name_resolve(prelude_correlator_t) - -prelude_manage_spool(prelude_correlator_t) - -######################################## -# -# prelude_lml local declarations -# - -allow prelude_lml_t self:capability dac_override; -allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; -allow prelude_lml_t self:unix_dgram_socket { write create connect }; -allow prelude_lml_t self:fifo_file rw_fifo_file_perms; -allow prelude_lml_t self:unix_stream_socket connectto; - -manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) -files_list_tmp(prelude_lml_t) - -manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -files_search_spool(prelude_lml_t) - -manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -files_search_var_lib(prelude_lml_t) - -manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) -files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) - -kernel_read_system_state(prelude_lml_t) -kernel_read_sysctl(prelude_lml_t) - -corecmd_exec_bin(prelude_lml_t) - -corenet_tcp_sendrecv_generic_if(prelude_lml_t) -corenet_tcp_sendrecv_generic_node(prelude_lml_t) -corenet_tcp_recvfrom_netlabel(prelude_lml_t) -corenet_tcp_recvfrom_unlabeled(prelude_lml_t) -corenet_sendrecv_unlabeled_packets(prelude_lml_t) -corenet_tcp_connect_prelude_port(prelude_lml_t) - -dev_read_rand(prelude_lml_t) -dev_read_urand(prelude_lml_t) - -files_list_etc(prelude_lml_t) -files_read_etc_files(prelude_lml_t) -files_read_etc_runtime_files(prelude_lml_t) - -fs_getattr_all_fs(prelude_lml_t) -fs_list_inotifyfs(prelude_lml_t) -fs_rw_anon_inodefs_files(prelude_lml_t) - -auth_use_nsswitch(prelude_lml_t) - -libs_exec_lib_files(prelude_lml_t) -libs_read_lib_files(prelude_lml_t) - -logging_send_syslog_msg(prelude_lml_t) -logging_read_generic_logs(prelude_lml_t) - -miscfiles_read_localization(prelude_lml_t) - -sysnet_dns_name_resolve(prelude_lml_t) - -userdom_read_all_users_state(prelude_lml_t) - -optional_policy(` - apache_search_sys_content(prelude_lml_t) - apache_read_log(prelude_lml_t) -') - -######################################## -# -# prewikka_cgi Declarations -# - -optional_policy(` - apache_content_template(prewikka) - - can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) - - files_read_etc_files(httpd_prewikka_script_t) - files_search_tmp(httpd_prewikka_script_t) - - kernel_read_sysctl(httpd_prewikka_script_t) - kernel_search_network_sysctl(httpd_prewikka_script_t) - - corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) - - auth_use_nsswitch(httpd_prewikka_script_t) - - logging_send_syslog_msg(httpd_prewikka_script_t) - - apache_search_sys_content(httpd_prewikka_script_t) - - optional_policy(` - mysql_search_db(httpd_prewikka_script_t) - mysql_stream_connect(httpd_prewikka_script_t) - ') - - optional_policy(` - postgresql_stream_connect(httpd_prewikka_script_t) - ') -') diff --git a/policy/modules/services/privoxy.fc b/policy/modules/services/privoxy.fc deleted file mode 100644 index be4998abd..000000000 --- a/policy/modules/services/privoxy.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) -/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) - -/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) - -/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if deleted file mode 100644 index afd175164..000000000 --- a/policy/modules/services/privoxy.if +++ /dev/null @@ -1,42 +0,0 @@ -## Privacy enhancing web proxy. - -######################################## -## -## All of the rules required to administrate -## an privoxy environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`privoxy_admin',` - gen_require(` - type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; - type privoxy_etc_rw_t, privoxy_var_run_t; - ') - - allow $1 privoxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, privoxy_t) - - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 privoxy_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, privoxy_log_t) - - files_list_etc($1) - admin_pattern($1, privoxy_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, privoxy_var_run_t) -') diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te deleted file mode 100644 index 2dbf4d495..000000000 --- a/policy/modules/services/privoxy.te +++ /dev/null @@ -1,103 +0,0 @@ -policy_module(privoxy, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow privoxy to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

-## -gen_tunable(privoxy_connect_any, false) - -type privoxy_t; # web_client_domain -type privoxy_exec_t; -init_daemon_domain(privoxy_t, privoxy_exec_t) - -type privoxy_initrc_exec_t; -init_script_file(privoxy_initrc_exec_t) - -type privoxy_etc_rw_t; -files_type(privoxy_etc_rw_t) - -type privoxy_log_t; -logging_log_file(privoxy_log_t) - -type privoxy_var_run_t; -files_pid_file(privoxy_var_run_t) - -######################################## -# -# Local Policy -# - -allow privoxy_t self:capability { setgid setuid }; -dontaudit privoxy_t self:capability sys_tty_config; -allow privoxy_t self:tcp_socket create_stream_socket_perms; - -allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; - -manage_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) -logging_log_filetrans(privoxy_t, privoxy_log_t, file) - -manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) -files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) - -kernel_read_system_state(privoxy_t) -kernel_read_kernel_sysctls(privoxy_t) - -corenet_all_recvfrom_unlabeled(privoxy_t) -corenet_all_recvfrom_netlabel(privoxy_t) -corenet_tcp_sendrecv_generic_if(privoxy_t) -corenet_tcp_sendrecv_generic_node(privoxy_t) -corenet_tcp_sendrecv_all_ports(privoxy_t) -corenet_tcp_bind_generic_node(privoxy_t) -corenet_tcp_bind_http_cache_port(privoxy_t) -corenet_tcp_connect_http_port(privoxy_t) -corenet_tcp_connect_http_cache_port(privoxy_t) -corenet_tcp_connect_squid_port(privoxy_t) -corenet_tcp_connect_ftp_port(privoxy_t) -corenet_tcp_connect_pgpkeyserver_port(privoxy_t) -corenet_tcp_connect_tor_port(privoxy_t) -corenet_sendrecv_http_cache_client_packets(privoxy_t) -corenet_sendrecv_squid_client_packets(privoxy_t) -corenet_sendrecv_http_cache_server_packets(privoxy_t) -corenet_sendrecv_http_client_packets(privoxy_t) -corenet_sendrecv_ftp_client_packets(privoxy_t) -corenet_sendrecv_tor_client_packets(privoxy_t) - -dev_read_sysfs(privoxy_t) - -fs_getattr_all_fs(privoxy_t) -fs_search_auto_mountpoints(privoxy_t) - -domain_use_interactive_fds(privoxy_t) - -files_read_etc_files(privoxy_t) - -auth_use_nsswitch(privoxy_t) - -logging_send_syslog_msg(privoxy_t) - -miscfiles_read_localization(privoxy_t) - -userdom_dontaudit_use_unpriv_user_fds(privoxy_t) -userdom_dontaudit_search_user_home_dirs(privoxy_t) -# cjp: this should really not be needed -userdom_use_user_terminals(privoxy_t) - -tunable_policy(`privoxy_connect_any',` - corenet_tcp_connect_all_ports(privoxy_t) - corenet_sendrecv_all_client_packets(privoxy_t) -') - -optional_policy(` - seutil_sigchld_newrole(privoxy_t) -') - -optional_policy(` - udev_read_db(privoxy_t) -') diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc deleted file mode 100644 index 1343621bf..000000000 --- a/policy/modules/services/procmail.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) - -/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if deleted file mode 100644 index b64b02fd5..000000000 --- a/policy/modules/services/procmail.if +++ /dev/null @@ -1,79 +0,0 @@ -## Procmail mail delivery agent - -######################################## -## -## Execute procmail with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`procmail_domtrans',` - gen_require(` - type procmail_exec_t, procmail_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, procmail_exec_t, procmail_t) -') - -######################################## -## -## Execute procmail in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`procmail_exec',` - gen_require(` - type procmail_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, procmail_exec_t) -') - -######################################## -## -## Read procmail tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`procmail_read_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - allow $1 procmail_tmp_t:file read_file_perms; -') - -######################################## -## -## Read/write procmail tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`procmail_rw_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) -') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te deleted file mode 100644 index 29b929563..000000000 --- a/policy/modules/services/procmail.te +++ /dev/null @@ -1,150 +0,0 @@ -policy_module(procmail, 1.12.0) - -######################################## -# -# Declarations -# - -type procmail_t; -type procmail_exec_t; -application_domain(procmail_t, procmail_exec_t) -role system_r types procmail_t; - -type procmail_log_t; -logging_log_file(procmail_log_t) - -type procmail_tmp_t; -files_tmp_file(procmail_tmp_t) - -######################################## -# -# Local policy -# - -allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; -allow procmail_t self:process { setsched signal signull }; -allow procmail_t self:fifo_file rw_fifo_file_perms; -allow procmail_t self:unix_stream_socket create_socket_perms; -allow procmail_t self:unix_dgram_socket create_socket_perms; -allow procmail_t self:tcp_socket create_stream_socket_perms; -allow procmail_t self:udp_socket create_socket_perms; - -can_exec(procmail_t, procmail_exec_t) - -# Write log to /var/log/procmail.log or /var/log/procmail/.* -allow procmail_t procmail_log_t:dir setattr; -create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) - -allow procmail_t procmail_tmp_t:file manage_file_perms; -files_tmp_filetrans(procmail_t, procmail_tmp_t, file) - -kernel_read_system_state(procmail_t) -kernel_read_kernel_sysctls(procmail_t) - -corenet_all_recvfrom_unlabeled(procmail_t) -corenet_all_recvfrom_netlabel(procmail_t) -corenet_tcp_sendrecv_generic_if(procmail_t) -corenet_udp_sendrecv_generic_if(procmail_t) -corenet_tcp_sendrecv_generic_node(procmail_t) -corenet_udp_sendrecv_generic_node(procmail_t) -corenet_tcp_sendrecv_all_ports(procmail_t) -corenet_udp_sendrecv_all_ports(procmail_t) -corenet_udp_bind_generic_node(procmail_t) -corenet_tcp_connect_spamd_port(procmail_t) -corenet_sendrecv_spamd_client_packets(procmail_t) -corenet_sendrecv_comsat_client_packets(procmail_t) - -dev_read_urand(procmail_t) - -fs_getattr_xattr_fs(procmail_t) -fs_search_auto_mountpoints(procmail_t) -fs_rw_anon_inodefs_files(procmail_t) - -auth_use_nsswitch(procmail_t) - -corecmd_exec_bin(procmail_t) -corecmd_exec_shell(procmail_t) -corecmd_read_bin_symlinks(procmail_t) - -files_read_etc_files(procmail_t) -files_read_etc_runtime_files(procmail_t) -files_search_pids(procmail_t) -# for spamassasin -files_read_usr_files(procmail_t) - -logging_send_syslog_msg(procmail_t) - -miscfiles_read_localization(procmail_t) - -# only works until we define a different type for maildir -userdom_manage_user_home_content_dirs(procmail_t) -userdom_manage_user_home_content_files(procmail_t) -userdom_manage_user_home_content_symlinks(procmail_t) -userdom_manage_user_home_content_pipes(procmail_t) -userdom_manage_user_home_content_sockets(procmail_t) -userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) - -# Do not audit attempts to access /root. -userdom_dontaudit_search_user_home_dirs(procmail_t) - -mta_manage_spool(procmail_t) -mta_read_queue(procmail_t) - -ifdef(`hide_broken_symptoms',` - mta_dontaudit_rw_queue(procmail_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(procmail_t) - fs_manage_nfs_files(procmail_t) - fs_manage_nfs_symlinks(procmail_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(procmail_t) - fs_manage_cifs_files(procmail_t) - fs_manage_cifs_symlinks(procmail_t) -') - -optional_policy(` - clamav_domtrans_clamscan(procmail_t) - clamav_search_lib(procmail_t) -') - -optional_policy(` - munin_dontaudit_search_lib(procmail_t) -') - -optional_policy(` - # for a bug in the postfix local program - postfix_dontaudit_rw_local_tcp_sockets(procmail_t) - postfix_dontaudit_use_fds(procmail_t) - postfix_read_spool_files(procmail_t) - postfix_read_local_state(procmail_t) - postfix_read_master_state(procmail_t) -') - -optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) -') - -optional_policy(` - mta_read_config(procmail_t) - sendmail_domtrans(procmail_t) - sendmail_signal(procmail_t) - sendmail_dontaudit_rw_tcp_sockets(procmail_t) - sendmail_dontaudit_rw_unix_stream_sockets(procmail_t) -') - -optional_policy(` - corenet_udp_bind_generic_port(procmail_t) - corenet_dontaudit_udp_bind_all_ports(procmail_t) - - spamassassin_domtrans_local_client(procmail_t) - spamassassin_domtrans_client(procmail_t) - spamassassin_read_lib_files(procmail_t) -') diff --git a/policy/modules/services/psad.fc b/policy/modules/services/psad.fc deleted file mode 100644 index 6c66d4486..000000000 --- a/policy/modules/services/psad.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) -/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) - -/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) - -/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) -/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) -/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if deleted file mode 100644 index bc329d186..000000000 --- a/policy/modules/services/psad.if +++ /dev/null @@ -1,262 +0,0 @@ -## Intrusion Detection and Log Analysis with iptables - -######################################## -## -## Execute a domain transition to run psad. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`psad_domtrans',` - gen_require(` - type psad_t, psad_exec_t; - ') - - domtrans_pattern($1, psad_exec_t, psad_t) -') - -######################################## -## -## Send a generic signal to psad -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_signal',` - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signal; -') - -####################################### -## -## Send a null signal to psad. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_signull',` - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signull; -') - -######################################## -## -## Read psad etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_read_config',` - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, psad_etc_t, psad_etc_t) -') - -######################################## -## -## Manage psad etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_manage_config',` - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, psad_etc_t, psad_etc_t) - manage_files_pattern($1, psad_etc_t, psad_etc_t) - -') - -######################################## -## -## Read psad PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_read_pid_files',` - gen_require(` - type psad_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, psad_var_run_t, psad_var_run_t) -') - -######################################## -## -## Read psad PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_rw_pid_files',` - gen_require(` - type psad_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, psad_var_run_t, psad_var_run_t) -') - -######################################## -## -## Allow the specified domain to read psad's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`psad_read_log',` - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) - read_files_pattern($1, psad_var_log_t, psad_var_log_t) -') - -######################################## -## -## Allow the specified domain to append to psad's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`psad_append_log',` - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) - append_files_pattern($1, psad_var_log_t, psad_var_log_t) -') - -######################################## -## -## Read and write psad fifo files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_rw_fifo_file',` - gen_require(` - type psad_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) - rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) -') - -####################################### -## -## Read and write psad tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`psad_rw_tmp_files',` - gen_require(` - type psad_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, psad_tmp_t, psad_tmp_t) -') - -######################################## -## -## All of the rules required to administrate -## an psad environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`psad_admin',` - gen_require(` - type psad_t, psad_var_run_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t; - type psad_tmp_t; - ') - - allow $1 psad_t:process { ptrace signal_perms }; - ps_process_pattern($1, psad_t) - - init_labeled_script_domtrans($1, psad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 psad_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, psad_etc_t) - - files_search_pids($1) - admin_pattern($1, psad_var_run_t) - - logging_search_logs($1) - admin_pattern($1, psad_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, psad_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, psad_tmp_t) -') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te deleted file mode 100644 index d4000e0dc..000000000 --- a/policy/modules/services/psad.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(psad, 1.0.0) - -######################################## -# -# Declarations -# - -type psad_t; -type psad_exec_t; -init_daemon_domain(psad_t, psad_exec_t) - -# config files -type psad_etc_t; -files_type(psad_etc_t) - -type psad_initrc_exec_t; -init_script_file(psad_initrc_exec_t) - -# var/lib files -type psad_var_lib_t; -files_type(psad_var_lib_t) - -# log files -type psad_var_log_t; -logging_log_file(psad_var_log_t) - -# pid files -type psad_var_run_t; -files_pid_file(psad_var_run_t) - -# tmp files -type psad_tmp_t; -files_tmp_file(psad_tmp_t) - -######################################## -# -# psad local policy -# - -allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; -dontaudit psad_t self:capability sys_tty_config; -allow psad_t self:process signull; -allow psad_t self:fifo_file rw_fifo_file_perms; -allow psad_t self:rawip_socket create_socket_perms; - -# config files -read_files_pattern(psad_t, psad_etc_t, psad_etc_t) -list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t) - -# log files -manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) -manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) -logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) - -# pid file -manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file }) - -# tmp files -manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t) -files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) - -# /var/lib files -search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) -manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) - -kernel_read_system_state(psad_t) -kernel_read_network_state(psad_t) -kernel_read_net_sysctls(psad_t) - -corecmd_exec_shell(psad_t) -corecmd_exec_bin(psad_t) - -corenet_all_recvfrom_unlabeled(psad_t) -corenet_all_recvfrom_netlabel(psad_t) -corenet_tcp_sendrecv_generic_if(psad_t) -corenet_tcp_sendrecv_generic_node(psad_t) -corenet_tcp_bind_generic_node(psad_t) -corenet_tcp_sendrecv_all_ports(psad_t) -corenet_tcp_connect_whois_port(psad_t) -corenet_sendrecv_whois_client_packets(psad_t) - -dev_read_urand(psad_t) - -files_read_etc_runtime_files(psad_t) - -fs_getattr_all_fs(psad_t) - -auth_use_nsswitch(psad_t) - -iptables_domtrans(psad_t) - -logging_read_generic_logs(psad_t) -logging_read_syslog_config(psad_t) -logging_send_syslog_msg(psad_t) - -miscfiles_read_localization(psad_t) - -sysnet_exec_ifconfig(psad_t) - -optional_policy(` - mta_send_mail(psad_t) - mta_read_queue(psad_t) -') diff --git a/policy/modules/services/publicfile.fc b/policy/modules/services/publicfile.fc deleted file mode 100644 index 5b20b6880..000000000 --- a/policy/modules/services/publicfile.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) -/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0) - -# this is the place where online content located -# set this to suit your needs -#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0) diff --git a/policy/modules/services/publicfile.if b/policy/modules/services/publicfile.if deleted file mode 100644 index 5b0759256..000000000 --- a/policy/modules/services/publicfile.if +++ /dev/null @@ -1 +0,0 @@ -## publicfile supplies files to the public through HTTP and FTP diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te deleted file mode 100644 index 32edb73a9..000000000 --- a/policy/modules/services/publicfile.te +++ /dev/null @@ -1,34 +0,0 @@ -policy_module(publicfile, 1.1.0) - -######################################## -# -# Declarations -# - -type publicfile_t; -type publicfile_exec_t; -init_daemon_domain(publicfile_t, publicfile_exec_t) - -type publicfile_content_t; -files_type(publicfile_content_t) - -######################################## -# -# Local policy -# - -allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; -allow publicfile_t publicfile_content_t:dir list_dir_perms; -allow publicfile_t publicfile_content_t:file read_file_perms; - -files_search_var(publicfile_t) - -optional_policy(` - daemontools_ipc_domain(publicfile_t) -') - -optional_policy(` - ucspitcp_service_domain(publicfile_t, publicfile_exec_t) -') - -#allow publicfile_t initrc_t:tcp_socket { read write }; diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc deleted file mode 100644 index 2f1e52990..000000000 --- a/policy/modules/services/puppet.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) - -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) - -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) - -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if deleted file mode 100644 index 2855a4438..000000000 --- a/policy/modules/services/puppet.if +++ /dev/null @@ -1,31 +0,0 @@ -## Puppet client daemon -## -##

-## Puppet is a configuration management system written in Ruby. -## The client daemon is responsible for periodically requesting the -## desired system state from the server and ensuring the state of -## the client system matches. -##

-## - -################################################ -## -## Read / Write to Puppet temp files. Puppet uses -## some system binaries (groupadd, etc) that run in -## a non-puppet domain and redirects output into temp -## files. -## -## -## -## Domain allowed access. -## -## -# -interface(`puppet_rw_tmp', ` - gen_require(` - type puppet_tmp_t; - ') - - allow $1 puppet_tmp_t:file rw_file_perms; - files_search_tmp($1) -') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te deleted file mode 100644 index 941f6e1b3..000000000 --- a/policy/modules/services/puppet.te +++ /dev/null @@ -1,235 +0,0 @@ -policy_module(puppet, 1.1.1) - -######################################## -# -# Declarations -# - -## -##

-## Allow Puppet client to manage all file -## types. -##

-## -gen_tunable(puppet_manage_all_files, false) - -type puppet_t; -type puppet_exec_t; -init_daemon_domain(puppet_t, puppet_exec_t) - -type puppet_etc_t; -files_config_file(puppet_etc_t) - -type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t) - -type puppet_log_t; -logging_log_file(puppet_log_t) - -type puppet_tmp_t; -files_tmp_file(puppet_tmp_t) - -type puppet_var_lib_t; -files_type(puppet_var_lib_t) - -type puppet_var_run_t; -files_pid_file(puppet_var_run_t) - -type puppetmaster_t; -type puppetmaster_exec_t; -init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) - -type puppetmaster_initrc_exec_t; -init_script_file(puppetmaster_initrc_exec_t) - -type puppetmaster_tmp_t; -files_tmp_file(puppetmaster_tmp_t) - -######################################## -# -# Puppet personal policy -# - -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; -allow puppet_t self:process { signal signull getsched setsched }; -allow puppet_t self:fifo_file rw_fifo_file_perms; -allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -allow puppet_t self:tcp_socket create_stream_socket_perms; -allow puppet_t self:udp_socket create_socket_perms; - -read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) - -manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -files_search_var_lib(puppet_t) - -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) - -create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) -create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) - -manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) - -kernel_dontaudit_search_sysctl(puppet_t) -kernel_dontaudit_search_kernel_sysctl(puppet_t) -kernel_read_system_state(puppet_t) -kernel_read_crypto_sysctls(puppet_t) - -corecmd_exec_bin(puppet_t) -corecmd_exec_shell(puppet_t) - -corenet_all_recvfrom_netlabel(puppet_t) -corenet_all_recvfrom_unlabeled(puppet_t) -corenet_tcp_sendrecv_generic_if(puppet_t) -corenet_tcp_sendrecv_generic_node(puppet_t) -corenet_tcp_bind_generic_node(puppet_t) -corenet_tcp_connect_puppet_port(puppet_t) -corenet_sendrecv_puppet_client_packets(puppet_t) - -dev_read_rand(puppet_t) -dev_read_sysfs(puppet_t) -dev_read_urand(puppet_t) - -domain_read_all_domains_state(puppet_t) -domain_interactive_fd(puppet_t) - -files_manage_config_files(puppet_t) -files_manage_config_dirs(puppet_t) -files_manage_etc_dirs(puppet_t) -files_manage_etc_files(puppet_t) -files_read_usr_symlinks(puppet_t) -files_relabel_config_dirs(puppet_t) -files_relabel_config_files(puppet_t) - -selinux_search_fs(puppet_t) -selinux_set_all_booleans(puppet_t) -selinux_set_generic_booleans(puppet_t) -selinux_validate_context(puppet_t) - -term_dontaudit_getattr_unallocated_ttys(puppet_t) -term_dontaudit_getattr_all_ttys(puppet_t) - -init_all_labeled_script_domtrans(puppet_t) -init_domtrans_script(puppet_t) -init_read_utmp(puppet_t) -init_signull_script(puppet_t) - -logging_send_syslog_msg(puppet_t) - -miscfiles_read_hwdata(puppet_t) -miscfiles_read_localization(puppet_t) - -mount_domtrans(puppet_t) - -seutil_domtrans_setfiles(puppet_t) -seutil_domtrans_semanage(puppet_t) - -sysnet_dns_name_resolve(puppet_t) -sysnet_run_ifconfig(puppet_t, system_r) - -tunable_policy(`puppet_manage_all_files',` - auth_manage_all_files_except_auth_files(puppet_t) -') - -optional_policy(` - consoletype_domtrans(puppet_t) -') - -optional_policy(` - hostname_exec(puppet_t) -') - -optional_policy(` - files_rw_var_files(puppet_t) - - rpm_domtrans(puppet_t) - rpm_manage_db(puppet_t) - rpm_manage_log(puppet_t) -') - -optional_policy(` - unconfined_domain(puppet_t) -') - -optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -') - -######################################## -# -# Pupper master personal policy -# - -allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -allow puppetmaster_t self:process { signal_perms getsched setsched }; -allow puppetmaster_t self:fifo_file rw_fifo_file_perms; -allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; -allow puppetmaster_t self:socket create; -allow puppetmaster_t self:tcp_socket create_stream_socket_perms; -allow puppetmaster_t self:udp_socket create_socket_perms; - -list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) -read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) - -allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; -allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; -logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) - -manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) - -setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) - -manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) -manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) -files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) - -kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) -kernel_read_system_state(puppetmaster_t) -kernel_read_crypto_sysctls(puppetmaster_t) - -corecmd_exec_bin(puppetmaster_t) -corecmd_exec_shell(puppetmaster_t) - -corenet_all_recvfrom_netlabel(puppetmaster_t) -corenet_all_recvfrom_unlabeled(puppetmaster_t) -corenet_tcp_sendrecv_generic_if(puppetmaster_t) -corenet_tcp_sendrecv_generic_node(puppetmaster_t) -corenet_tcp_bind_generic_node(puppetmaster_t) -corenet_tcp_bind_puppet_port(puppetmaster_t) -corenet_sendrecv_puppet_server_packets(puppetmaster_t) - -dev_read_rand(puppetmaster_t) -dev_read_urand(puppetmaster_t) - -domain_read_all_domains_state(puppetmaster_t) - -files_read_etc_files(puppetmaster_t) -files_search_var_lib(puppetmaster_t) - -logging_send_syslog_msg(puppetmaster_t) - -miscfiles_read_localization(puppetmaster_t) - -sysnet_dns_name_resolve(puppetmaster_t) -sysnet_run_ifconfig(puppetmaster_t, system_r) - -optional_policy(` - hostname_exec(puppetmaster_t) -') - -optional_policy(` - files_read_usr_symlinks(puppetmaster_t) - - rpm_exec(puppetmaster_t) - rpm_read_db(puppetmaster_t) -') diff --git a/policy/modules/services/pxe.fc b/policy/modules/services/pxe.fc deleted file mode 100644 index 44b3a0c4b..000000000 --- a/policy/modules/services/pxe.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) - -/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0) - -/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) diff --git a/policy/modules/services/pxe.if b/policy/modules/services/pxe.if deleted file mode 100644 index d3d6a6b80..000000000 --- a/policy/modules/services/pxe.if +++ /dev/null @@ -1 +0,0 @@ -## Server for the PXE network boot protocol diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te deleted file mode 100644 index fec69ebd5..000000000 --- a/policy/modules/services/pxe.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(pxe, 1.4.0) - -# cjp: policy seems incomplete - -######################################## -# -# Declarations -# - -type pxe_t; -type pxe_exec_t; -init_daemon_domain(pxe_t, pxe_exec_t) - -type pxe_log_t; -logging_log_file(pxe_log_t) - -type pxe_var_run_t; -files_pid_file(pxe_var_run_t) - -######################################## -# -# Local policy -# - -allow pxe_t self:capability { chown setgid setuid }; -dontaudit pxe_t self:capability sys_tty_config; -allow pxe_t self:process signal_perms; - -allow pxe_t pxe_log_t:file manage_file_perms; -logging_log_filetrans(pxe_t, pxe_log_t, file) - -manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t) -files_pid_filetrans(pxe_t, pxe_var_run_t, file) - -kernel_read_kernel_sysctls(pxe_t) -kernel_list_proc(pxe_t) -kernel_read_proc_symlinks(pxe_t) - -corenet_udp_bind_pxe_port(pxe_t) - -dev_read_sysfs(pxe_t) - -domain_use_interactive_fds(pxe_t) - -files_read_etc_files(pxe_t) - -fs_getattr_all_fs(pxe_t) -fs_search_auto_mountpoints(pxe_t) - -logging_send_syslog_msg(pxe_t) - -miscfiles_read_localization(pxe_t) - -userdom_dontaudit_use_unpriv_user_fds(pxe_t) -userdom_dontaudit_search_user_home_dirs(pxe_t) - -optional_policy(` - seutil_sigchld_newrole(pxe_t) -') - -optional_policy(` - udev_read_db(pxe_t) -') diff --git a/policy/modules/services/pyicqt.fc b/policy/modules/services/pyicqt.fc deleted file mode 100644 index 491fe8f84..000000000 --- a/policy/modules/services/pyicqt.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) - -/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) - -/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) - -/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/policy/modules/services/pyicqt.if b/policy/modules/services/pyicqt.if deleted file mode 100644 index 9604b6a07..000000000 --- a/policy/modules/services/pyicqt.if +++ /dev/null @@ -1 +0,0 @@ -## PyICQt is an ICQ transport for XMPP server. diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te deleted file mode 100644 index a841221ac..000000000 --- a/policy/modules/services/pyicqt.te +++ /dev/null @@ -1,59 +0,0 @@ -policy_module(pyicqt, 1.0.0) - -######################################## -# -# Declarations -# - -type pyicqt_t; -type pyicqt_exec_t; -init_daemon_domain(pyicqt_t, pyicqt_exec_t) - -type pyicqt_conf_t; -files_config_file(pyicqt_conf_t) - -type pyicqt_spool_t; -files_type(pyicqt_spool_t) - -type pyicqt_var_run_t; -files_pid_file(pyicqt_var_run_t) - -######################################## -# -# PyICQt policy -# - -allow pyicqt_t self:fifo_file rw_fifo_file_perms; -allow pyicqt_t self:tcp_socket create_socket_perms; -allow pyicqt_t self:udp_socket create_socket_perms; - -read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) - -manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) -manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) -files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file }) - -manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) -files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) - -kernel_read_system_state(pyicqt_t) - -corecmd_exec_bin(pyicqt_t) - -corenet_all_recvfrom_unlabeled(pyicqt_t) -corenet_all_recvfrom_netlabel(pyicqt_t) -corenet_tcp_sendrecv_generic_if(pyicqt_t) -corenet_tcp_sendrecv_generic_node(pyicqt_t) -corenet_tcp_connect_generic_port(pyicqt_t) -corenet_sendrecv_generic_client_packets(pyicqt_t) - -dev_read_urand(pyicqt_t) - -files_read_etc_files(pyicqt_t) -files_read_usr_files(pyicqt_t) - -libs_read_lib_files(pyicqt_t) - -miscfiles_read_localization(pyicqt_t) - -sysnet_read_config(pyicqt_t) diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc deleted file mode 100644 index d4a775069..000000000 --- a/policy/modules/services/pyzor.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) - -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - -/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) -/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) - -/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) -/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if deleted file mode 100644 index 494f7e221..000000000 --- a/policy/modules/services/pyzor.if +++ /dev/null @@ -1,90 +0,0 @@ -## Pyzor is a distributed, collaborative spam detection and filtering network. - -######################################## -## -## Role access for pyzor -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`pyzor_role',` - gen_require(` - type pyzor_t, pyzor_exec_t; - type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; - ') - - role $1 types pyzor_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, pyzor_exec_t, pyzor_t) - - # allow ps to show pyzor and allow the user to kill it - ps_process_pattern($2, pyzor_t) - allow $2 pyzor_t:process signal; -') - -######################################## -## -## Send generic signals to pyzor -## -## -## -## Domain allowed access. -## -## -# -interface(`pyzor_signal',` - gen_require(` - type pyzor_t; - ') - - allow $1 pyzor_t:process signal; -') - -######################################## -## -## Execute pyzor with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pyzor_domtrans',` - gen_require(` - type pyzor_exec_t, pyzor_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, pyzor_exec_t, pyzor_t) -') - -######################################## -## -## Execute pyzor in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`pyzor_exec',` - gen_require(` - type pyzor_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) -') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te deleted file mode 100644 index cd683f9a4..000000000 --- a/policy/modules/services/pyzor.te +++ /dev/null @@ -1,148 +0,0 @@ -policy_module(pyzor, 2.1.0) - -######################################## -# -# Declarations -# - -type pyzor_t; -type pyzor_exec_t; -typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; -application_domain(pyzor_t, pyzor_exec_t) -ubac_constrained(pyzor_t) -role system_r types pyzor_t; - -type pyzor_etc_t; -files_type(pyzor_etc_t) - -type pyzor_home_t; -typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; -typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; -userdom_user_home_content(pyzor_home_t) - -type pyzor_tmp_t; -typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; -typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; -files_tmp_file(pyzor_tmp_t) -ubac_constrained(pyzor_tmp_t) - -type pyzor_var_lib_t; -typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; -typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; -files_type(pyzor_var_lib_t) -ubac_constrained(pyzor_var_lib_t) - -type pyzord_t; -type pyzord_exec_t; -init_daemon_domain(pyzord_t, pyzord_exec_t) - -type pyzord_log_t; -logging_log_file(pyzord_log_t) - -######################################## -# -# Pyzor client local policy -# - -allow pyzor_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) - -allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; -read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) -files_search_var_lib(pyzor_t) - -manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(pyzor_t) -kernel_read_system_state(pyzor_t) - -corecmd_list_bin(pyzor_t) -corecmd_getattr_bin_files(pyzor_t) - -corenet_tcp_sendrecv_generic_if(pyzor_t) -corenet_udp_sendrecv_generic_if(pyzor_t) -corenet_tcp_sendrecv_generic_node(pyzor_t) -corenet_udp_sendrecv_generic_node(pyzor_t) -corenet_tcp_sendrecv_all_ports(pyzor_t) -corenet_udp_sendrecv_all_ports(pyzor_t) -corenet_tcp_connect_http_port(pyzor_t) - -dev_read_urand(pyzor_t) - -files_read_etc_files(pyzor_t) - -auth_use_nsswitch(pyzor_t) - -miscfiles_read_localization(pyzor_t) - -userdom_dontaudit_search_user_home_dirs(pyzor_t) - -optional_policy(` - amavis_manage_lib_files(pyzor_t) - amavis_manage_spool_files(pyzor_t) -') - -optional_policy(` - spamassassin_signal_spamd(pyzor_t) - spamassassin_read_spamd_tmp_files(pyzor_t) -') - -######################################## -# -# Pyzor server local policy -# - -allow pyzord_t self:udp_socket create_socket_perms; - -manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) -allow pyzord_t pyzor_var_lib_t:dir setattr; -files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) - -read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t) -allow pyzord_t pyzor_etc_t:dir list_dir_perms; - -can_exec(pyzord_t, pyzor_exec_t) - -manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -allow pyzord_t pyzord_log_t:dir setattr; -logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } ) - -kernel_read_kernel_sysctls(pyzord_t) -kernel_read_system_state(pyzord_t) - -dev_read_urand(pyzord_t) - -corecmd_exec_bin(pyzord_t) - -corenet_all_recvfrom_unlabeled(pyzord_t) -corenet_all_recvfrom_netlabel(pyzord_t) -corenet_udp_sendrecv_generic_if(pyzord_t) -corenet_udp_sendrecv_generic_node(pyzord_t) -corenet_udp_sendrecv_all_ports(pyzord_t) -corenet_udp_bind_generic_node(pyzord_t) -corenet_udp_bind_pyzor_port(pyzord_t) -corenet_sendrecv_pyzor_server_packets(pyzord_t) - -files_read_etc_files(pyzord_t) - -auth_use_nsswitch(pyzord_t) - -locallogin_dontaudit_use_fds(pyzord_t) - -miscfiles_read_localization(pyzord_t) - -# Do not audit attempts to access /root. -userdom_dontaudit_search_user_home_dirs(pyzord_t) - -mta_manage_spool(pyzord_t) - -optional_policy(` - logging_send_syslog_msg(pyzord_t) -') diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc deleted file mode 100644 index 0055e54bc..000000000 --- a/policy/modules/services/qmail.fc +++ /dev/null @@ -1,47 +0,0 @@ - -/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) -/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) - -/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) -/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) -/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) -/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) -/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) -/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) -/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) -/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) -/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) -/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) -/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) -/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - -/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) - -ifdef(`distro_debian', ` -/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - -#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) - -/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) -/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) -/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) -/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) -/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) -/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) -/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) -/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) -/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) -/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) -/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) - -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - -/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) -') - diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if deleted file mode 100644 index a55bf44be..000000000 --- a/policy/modules/services/qmail.if +++ /dev/null @@ -1,151 +0,0 @@ -## Qmail Mail Server - -######################################## -## -## Template for qmail parent/sub-domain pairs -## -## -## -## The prefix of the child domain -## -## -## -## -## The name of the parent domain. -## -## -# -template(`qmail_child_domain_template',` - type $1_t; - domain_type($1_t) - type $1_exec_t; - domain_entry_file($1_t, $1_exec_t) - domain_auto_trans($2, $1_exec_t, $1_t) - role system_r types $1_t; - - allow $1_t self:process signal_perms; - - allow $1_t $2:fd use; - allow $1_t $2:fifo_file rw_file_perms; - allow $1_t $2:process sigchld; - - allow $1_t qmail_etc_t:dir list_dir_perms; - allow $1_t qmail_etc_t:file read_file_perms; - allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; - - allow $1_t qmail_start_t:fd use; - - kernel_list_proc($2) - kernel_read_proc_symlinks($2) - - corecmd_search_bin($1_t) - - files_search_var($1_t) - - fs_getattr_xattr_fs($1_t) - - miscfiles_read_localization($1_t) -') - -######################################## -## -## Transition to qmail_inject_t -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qmail_domtrans_inject',` - gen_require(` - type qmail_inject_t, qmail_inject_exec_t; - ') - - domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) - - ifdef(`distro_debian',` - files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - corecmd_search_bin($1) - ') -') - -######################################## -## -## Transition to qmail_queue_t -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qmail_domtrans_queue',` - gen_require(` - type qmail_queue_t, qmail_queue_exec_t; - ') - - domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) - - ifdef(`distro_debian',` - files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - corecmd_search_bin($1) - ') -') - -######################################## -## -## Read qmail configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`qmail_read_config',` - gen_require(` - type qmail_etc_t; - ') - - allow $1 qmail_etc_t:dir list_dir_perms; - allow $1 qmail_etc_t:file read_file_perms; - allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; - files_search_var($1) - - ifdef(`distro_debian',` - # handle /etc/qmail - files_search_etc($1) - ') -') - -######################################## -## -## Define the specified domain as a qmail-smtp service. -## Needed by antivirus/antispam filters. -## -## -## -## Domain allowed access -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`qmail_smtpd_service_domain',` - gen_require(` - type qmail_smtpd_t; - ') - - domtrans_pattern(qmail_smtpd_t, $2, $1) -') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te deleted file mode 100644 index 355b2a282..000000000 --- a/policy/modules/services/qmail.te +++ /dev/null @@ -1,321 +0,0 @@ -policy_module(qmail, 1.5.0) - -######################################## -# -# Declarations -# - -attribute qmail_user_domains; - -type qmail_alias_home_t; -files_type(qmail_alias_home_t) - -qmail_child_domain_template(qmail_clean, qmail_start_t) - -type qmail_etc_t; -files_config_file(qmail_etc_t) - -type qmail_exec_t; -files_type(qmail_exec_t) - -type qmail_inject_t, qmail_user_domains; -type qmail_inject_exec_t; -domain_type(qmail_inject_t) -domain_entry_file(qmail_inject_t, qmail_inject_exec_t) -mta_mailserver_user_agent(qmail_inject_t) -role system_r types qmail_inject_t; - -qmail_child_domain_template(qmail_local, qmail_lspawn_t) -mta_mailserver_delivery(qmail_local_t) - -qmail_child_domain_template(qmail_lspawn, qmail_start_t) -mta_mailserver_delivery(qmail_lspawn_t) - -qmail_child_domain_template(qmail_queue, qmail_inject_t) -typeattribute qmail_queue_t qmail_user_domains; -mta_mailserver_user_agent(qmail_queue_t) - -qmail_child_domain_template(qmail_remote, qmail_rspawn_t) -mta_mailserver_sender(qmail_remote_t) - -qmail_child_domain_template(qmail_rspawn, qmail_start_t) - -qmail_child_domain_template(qmail_send, qmail_start_t) - -qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) - -qmail_child_domain_template(qmail_splogger, qmail_start_t) - -type qmail_spool_t; -files_type(qmail_spool_t) - -type qmail_start_t; -type qmail_start_exec_t; -init_daemon_domain(qmail_start_t, qmail_start_exec_t) - -type qmail_tcp_env_t; -type qmail_tcp_env_exec_t; -application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) - -######################################## -# -# qmail-clean local policy -# this component cleans up the queue directory -# - -read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) -delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) - -######################################## -# -# qmail-inject local policy -# this component preprocesses mail from stdin and invokes qmail-queue -# - -allow qmail_inject_t self:fifo_file write_fifo_file_perms; -allow qmail_inject_t self:process signal_perms; - -allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; - -corecmd_search_bin(qmail_inject_t) - -files_search_var(qmail_inject_t) - -miscfiles_read_localization(qmail_inject_t) - -qmail_read_config(qmail_inject_t) - -######################################## -# -# qmail-local local policy -# this component delivers a mail message -# - -allow qmail_local_t self:fifo_file write_file_perms; -allow qmail_local_t self:process signal_perms; -allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) -manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) - -can_exec(qmail_local_t, qmail_local_exec_t) - -allow qmail_local_t qmail_queue_exec_t:file read_file_perms; - -allow qmail_local_t qmail_spool_t:file read_file_perms; - -kernel_read_system_state(qmail_local_t) - -corecmd_exec_bin(qmail_local_t) -corecmd_exec_shell(qmail_local_t) - -files_read_etc_files(qmail_local_t) -files_read_etc_runtime_files(qmail_local_t) - -auth_use_nsswitch(qmail_local_t) - -logging_send_syslog_msg(qmail_local_t) - -mta_append_spool(qmail_local_t) - -qmail_domtrans_queue(qmail_local_t) - -optional_policy(` - spamassassin_domtrans_client(qmail_local_t) -') - -######################################## -# -# qmail-lspawn local policy -# this component schedules local deliveries -# - -allow qmail_lspawn_t self:capability { setuid setgid }; -allow qmail_lspawn_t self:process signal_perms; -allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms; -allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; - -can_exec(qmail_lspawn_t, qmail_exec_t) - -allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; - -read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) - -corecmd_search_bin(qmail_lspawn_t) - -files_read_etc_files(qmail_lspawn_t) -files_search_pids(qmail_lspawn_t) -files_search_tmp(qmail_lspawn_t) - -######################################## -# -# qmail-queue local policy -# this component places a mail in a delivery queue, later to be processed by qmail-send -# - -allow qmail_queue_t qmail_lspawn_t:fd use; -allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; - -allow qmail_queue_t qmail_smtpd_t:fd use; -allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; -allow qmail_queue_t qmail_smtpd_t:process sigchld; - -manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) - -corecmd_exec_bin(qmail_queue_t) - -logging_send_syslog_msg(qmail_queue_t) - -optional_policy(` - daemontools_ipc_domain(qmail_queue_t) -') - -######################################## -# -# qmail-remote local policy -# this component sends mail via SMTP -# - -allow qmail_remote_t self:tcp_socket create_socket_perms; -allow qmail_remote_t self:udp_socket create_socket_perms; - -rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) - -corenet_all_recvfrom_unlabeled(qmail_remote_t) -corenet_all_recvfrom_netlabel(qmail_remote_t) -corenet_tcp_sendrecv_generic_if(qmail_remote_t) -corenet_udp_sendrecv_generic_if(qmail_remote_t) -corenet_tcp_sendrecv_generic_node(qmail_remote_t) -corenet_udp_sendrecv_generic_node(qmail_remote_t) -corenet_tcp_sendrecv_smtp_port(qmail_remote_t) -corenet_udp_sendrecv_dns_port(qmail_remote_t) -corenet_tcp_connect_smtp_port(qmail_remote_t) -corenet_sendrecv_smtp_client_packets(qmail_remote_t) - -dev_read_rand(qmail_remote_t) -dev_read_urand(qmail_remote_t) - -sysnet_read_config(qmail_remote_t) - -######################################## -# -# qmail-rspawn local policy -# this component scedules remote deliveries -# - -allow qmail_rspawn_t self:process signal_perms; -allow qmail_rspawn_t self:fifo_file read_fifo_file_perms; - -allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; - -rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) - -corecmd_search_bin(qmail_rspawn_t) - -######################################## -# -# qmail-send local policy -# this component delivers mail messages from the queue -# - -allow qmail_send_t self:process signal_perms; -allow qmail_send_t self:fifo_file write_fifo_file_perms; - -manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) -manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) -read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t) - -qmail_domtrans_queue(qmail_send_t) - -optional_policy(` - daemontools_ipc_domain(qmail_send_t) -') - -######################################## -# -# qmail-smtpd local policy -# this component receives mails via SMTP -# - -allow qmail_smtpd_t self:process signal_perms; -allow qmail_smtpd_t self:fifo_file write_fifo_file_perms; -allow qmail_smtpd_t self:tcp_socket create_socket_perms; - -allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms; - -dev_read_rand(qmail_smtpd_t) -dev_read_urand(qmail_smtpd_t) - -qmail_domtrans_queue(qmail_smtpd_t) - -optional_policy(` - daemontools_ipc_domain(qmail_smtpd_t) -') - -optional_policy(` - kerberos_keytab_template(qmail, qmail_smtpd_t) -') - -optional_policy(` - ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) -') - -######################################## -# -# splogger local policy -# this component creates entries in syslog -# - -allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; - -files_read_etc_files(qmail_splogger_t) - -init_dontaudit_use_script_fds(qmail_splogger_t) - -miscfiles_read_localization(qmail_splogger_t) - -######################################## -# -# qmail-start local policy -# this component starts up the mail delivery component -# - -allow qmail_start_t self:capability { setgid setuid }; -dontaudit qmail_start_t self:capability sys_tty_config; -allow qmail_start_t self:fifo_file rw_fifo_file_perms; -allow qmail_start_t self:process signal_perms; - -can_exec(qmail_start_t, qmail_start_exec_t) - -corecmd_search_bin(qmail_start_t) - -files_search_var(qmail_start_t) - -qmail_read_config(qmail_start_t) - -optional_policy(` - daemontools_service_domain(qmail_start_t, qmail_start_exec_t) - daemontools_ipc_domain(qmail_start_t) -') - -######################################## -# -# tcp-env local policy -# this component sets up TCP-related environment variables -# - -allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; - -corecmd_search_bin(qmail_tcp_env_t) - -sysnet_read_config(qmail_tcp_env_t) - -optional_policy(` - inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) -') - -optional_policy(` - ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) -') diff --git a/policy/modules/services/qpid.fc b/policy/modules/services/qpid.fc deleted file mode 100644 index 4f9422929..000000000 --- a/policy/modules/services/qpid.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) - -/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) - -/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) - -/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) -/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if deleted file mode 100644 index 5a9630c06..000000000 --- a/policy/modules/services/qpid.if +++ /dev/null @@ -1,186 +0,0 @@ -## Apache QPID AMQP messaging server. - -######################################## -## -## Execute a domain transition to run qpidd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`qpidd_domtrans',` - gen_require(` - type qpidd_t, qpidd_exec_t; - ') - - domtrans_pattern($1, qpidd_exec_t, qpidd_t) -') - -##################################### -## -## Allow read and write access to qpidd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_rw_semaphores',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:sem rw_sem_perms; -') - -######################################## -## -## Read and write to qpidd shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_rw_shm',` - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:shm rw_shm_perms; -') - -######################################## -## -## Execute qpidd server in the qpidd domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_initrc_domtrans',` - gen_require(` - type qpidd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, qpidd_initrc_exec_t) -') - -######################################## -## -## Read qpidd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_read_pid_files',` - gen_require(` - type qpidd_var_run_t; - ') - - files_search_pids($1) - allow $1 qpidd_var_run_t:file read_file_perms; -') - -######################################## -## -## Search qpidd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_search_lib',` - gen_require(` - type qpidd_var_lib_t; - ') - - allow $1 qpidd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read qpidd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_read_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## qpidd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`qpidd_manage_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an qpidd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`qpidd_admin',` - gen_require(` - type qpidd_t, qpidd_initrc_exec_t; - ') - - allow $1 qpidd_t:process { ptrace signal_perms }; - ps_process_pattern($1, qpidd_t) - - # Allow qpidd_t to restart the apache service - qpidd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 qpidd_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, qpidd_var_lib_t) - - admin_pattern($1, qpidd_var_run_t) -') diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te deleted file mode 100644 index cb7ecb546..000000000 --- a/policy/modules/services/qpid.te +++ /dev/null @@ -1,63 +0,0 @@ -policy_module(qpid, 1.0.0) - -######################################## -# -# Declarations -# - -type qpidd_t; -type qpidd_exec_t; -init_daemon_domain(qpidd_t, qpidd_exec_t) - -type qpidd_initrc_exec_t; -init_script_file(qpidd_initrc_exec_t) - -type qpidd_var_lib_t; -files_type(qpidd_var_lib_t) - -type qpidd_var_run_t; -files_pid_file(qpidd_var_run_t) - -######################################## -# -# qpidd local policy -# - -allow qpidd_t self:process { setsched signull }; -allow qpidd_t self:fifo_file rw_fifo_file_perms; -allow qpidd_t self:sem create_sem_perms; -allow qpidd_t self:shm create_shm_perms; -allow qpidd_t self:tcp_socket create_stream_socket_perms; -allow qpidd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) - -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) - -kernel_read_system_state(qpidd_t) - -corenet_all_recvfrom_unlabeled(qpidd_t) -corenet_all_recvfrom_netlabel(qpidd_t) -corenet_tcp_sendrecv_generic_if(qpidd_t) -corenet_tcp_sendrecv_generic_node(qpidd_t) -corenet_tcp_sendrecv_all_ports(qpidd_t) -corenet_tcp_bind_generic_node(qpidd_t) -corenet_tcp_bind_amqp_port(qpidd_t) - -dev_read_urand(qpidd_t) - -files_read_etc_files(qpidd_t) - -logging_send_syslog_msg(qpidd_t) - -miscfiles_read_localization(qpidd_t) - -sysnet_dns_name_resolve(qpidd_t) - -optional_policy(` - corosync_stream_connect(qpidd_t) -') diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc deleted file mode 100644 index 09f7b5018..000000000 --- a/policy/modules/services/radius.fc +++ /dev/null @@ -1,23 +0,0 @@ - -/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) - -/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) -/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) - -/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) -/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) - -/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) - -/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0) -/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) - -/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) -/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if deleted file mode 100644 index 75e5dc400..000000000 --- a/policy/modules/services/radius.if +++ /dev/null @@ -1,62 +0,0 @@ -## RADIUS authentication and accounting server. - -######################################## -## -## Use radius over a UDP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`radius_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an radius environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`radius_admin',` - gen_require(` - type radiusd_t, radiusd_etc_t, radiusd_log_t; - type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; - type radiusd_initrc_exec_t; - ') - - allow $1 radiusd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radiusd_t) - - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radiusd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, radiusd_etc_t) - - logging_list_logs($1) - admin_pattern($1, radiusd_log_t) - - admin_pattern($1, radiusd_etc_rw_t) - - files_list_var_lib($1) - admin_pattern($1, radiusd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, radiusd_var_run_t) -') diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te deleted file mode 100644 index b1ed1bf4d..000000000 --- a/policy/modules/services/radius.te +++ /dev/null @@ -1,143 +0,0 @@ -policy_module(radius, 1.12.0) - -######################################## -# -# Declarations -# - -type radiusd_t; -type radiusd_exec_t; -init_daemon_domain(radiusd_t, radiusd_exec_t) - -type radiusd_etc_t; -files_config_file(radiusd_etc_t) - -type radiusd_etc_rw_t; -files_type(radiusd_etc_rw_t) - -type radiusd_initrc_exec_t; -init_script_file(radiusd_initrc_exec_t) - -type radiusd_log_t; -logging_log_file(radiusd_log_t) - -type radiusd_var_lib_t; -files_type(radiusd_var_lib_t) - -type radiusd_var_run_t; -files_pid_file(radiusd_var_run_t) - -######################################## -# -# Local policy -# - -# fsetid is for gzip which needs it when run from scripts -# gzip also needs chown access to preserve GID for radwtmp files -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; -dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; -allow radiusd_t self:fifo_file rw_fifo_file_perms; -allow radiusd_t self:unix_stream_socket create_stream_socket_perms; -allow radiusd_t self:tcp_socket create_stream_socket_perms; -allow radiusd_t self:udp_socket create_socket_perms; - -allow radiusd_t radiusd_etc_t:dir list_dir_perms; -read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) -read_lnk_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) -files_search_etc(radiusd_t) - -manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) -filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) - -manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) - -manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) - -manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) - -kernel_read_kernel_sysctls(radiusd_t) -kernel_read_system_state(radiusd_t) - -corenet_all_recvfrom_unlabeled(radiusd_t) -corenet_all_recvfrom_netlabel(radiusd_t) -corenet_tcp_sendrecv_generic_if(radiusd_t) -corenet_udp_sendrecv_generic_if(radiusd_t) -corenet_tcp_sendrecv_generic_node(radiusd_t) -corenet_udp_sendrecv_generic_node(radiusd_t) -corenet_tcp_sendrecv_all_ports(radiusd_t) -corenet_udp_sendrecv_all_ports(radiusd_t) -corenet_udp_bind_generic_node(radiusd_t) -corenet_udp_bind_radacct_port(radiusd_t) -corenet_udp_bind_radius_port(radiusd_t) -corenet_tcp_connect_mysqld_port(radiusd_t) -corenet_tcp_connect_snmp_port(radiusd_t) -corenet_sendrecv_radius_server_packets(radiusd_t) -corenet_sendrecv_radacct_server_packets(radiusd_t) -corenet_sendrecv_mysqld_client_packets(radiusd_t) -corenet_sendrecv_snmp_client_packets(radiusd_t) -# for RADIUS proxy port -corenet_udp_bind_generic_port(radiusd_t) -corenet_dontaudit_udp_bind_all_ports(radiusd_t) -corenet_sendrecv_generic_server_packets(radiusd_t) - -dev_read_sysfs(radiusd_t) - -fs_getattr_all_fs(radiusd_t) -fs_search_auto_mountpoints(radiusd_t) - -corecmd_exec_bin(radiusd_t) -corecmd_exec_shell(radiusd_t) - -domain_use_interactive_fds(radiusd_t) - -files_read_usr_files(radiusd_t) -files_read_etc_files(radiusd_t) -files_read_etc_runtime_files(radiusd_t) - -auth_use_nsswitch(radiusd_t) -auth_read_shadow(radiusd_t) -auth_domtrans_chk_passwd(radiusd_t) - -libs_exec_lib_files(radiusd_t) - -logging_send_syslog_msg(radiusd_t) - -miscfiles_read_localization(radiusd_t) -miscfiles_read_generic_certs(radiusd_t) - -userdom_dontaudit_use_unpriv_user_fds(radiusd_t) -userdom_dontaudit_search_user_home_dirs(radiusd_t) - -optional_policy(` - cron_system_entry(radiusd_t, radiusd_exec_t) -') - -optional_policy(` - logrotate_exec(radiusd_t) -') - -optional_policy(` - mysql_read_config(radiusd_t) - mysql_stream_connect(radiusd_t) -') - -optional_policy(` - samba_domtrans_winbind_helper(radiusd_t) - samba_read_var_files(radiusd_t) -') - -optional_policy(` - seutil_sigchld_newrole(radiusd_t) -') - -optional_policy(` - udev_read_db(radiusd_t) -') diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc deleted file mode 100644 index cc98d83b8..000000000 --- a/policy/modules/services/radvd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0) -/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0) - -/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) - -/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) -/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if deleted file mode 100644 index be05bff56..000000000 --- a/policy/modules/services/radvd.if +++ /dev/null @@ -1,39 +0,0 @@ -## IPv6 router advertisement daemon - -######################################## -## -## All of the rules required to administrate -## an radvd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`radvd_admin',` - gen_require(` - type radvd_t, radvd_etc_t; - type radvd_var_run_t, radvd_initrc_exec_t; - ') - - allow $1 radvd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radvd_t) - - init_labeled_script_domtrans($1, radvd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 radvd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, radvd_etc_t) - - files_list_pids($1) - admin_pattern($1, radvd_var_run_t) -') diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te deleted file mode 100644 index f9a216223..000000000 --- a/policy/modules/services/radvd.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(radvd, 1.13.0) - -######################################## -# -# Declarations -# -type radvd_t; -type radvd_exec_t; -init_daemon_domain(radvd_t, radvd_exec_t) - -type radvd_initrc_exec_t; -init_script_file(radvd_initrc_exec_t) - -type radvd_var_run_t; -files_pid_file(radvd_var_run_t) - -type radvd_etc_t; -files_config_file(radvd_etc_t) - -######################################## -# -# Local policy -# -allow radvd_t self:capability { kill setgid setuid net_raw net_admin }; -dontaudit radvd_t self:capability sys_tty_config; -allow radvd_t self:process { fork signal_perms }; -allow radvd_t self:unix_dgram_socket create_socket_perms; -allow radvd_t self:unix_stream_socket create_socket_perms; -allow radvd_t self:rawip_socket create_socket_perms; -allow radvd_t self:tcp_socket create_stream_socket_perms; -allow radvd_t self:udp_socket create_socket_perms; -allow radvd_t self:fifo_file rw_file_perms; - -allow radvd_t radvd_etc_t:file read_file_perms; - -manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(radvd_t) -kernel_rw_net_sysctls(radvd_t) -kernel_read_network_state(radvd_t) -kernel_read_system_state(radvd_t) -kernel_request_load_module(radvd_t) - -corenet_all_recvfrom_unlabeled(radvd_t) -corenet_all_recvfrom_netlabel(radvd_t) -corenet_tcp_sendrecv_generic_if(radvd_t) -corenet_udp_sendrecv_generic_if(radvd_t) -corenet_raw_sendrecv_generic_if(radvd_t) -corenet_tcp_sendrecv_generic_node(radvd_t) -corenet_udp_sendrecv_generic_node(radvd_t) -corenet_raw_sendrecv_generic_node(radvd_t) -corenet_tcp_sendrecv_all_ports(radvd_t) -corenet_udp_sendrecv_all_ports(radvd_t) - -dev_read_sysfs(radvd_t) - -fs_getattr_all_fs(radvd_t) -fs_search_auto_mountpoints(radvd_t) - -domain_use_interactive_fds(radvd_t) - -files_read_etc_files(radvd_t) -files_list_usr(radvd_t) - -auth_use_nsswitch(radvd_t) - -logging_send_syslog_msg(radvd_t) - -miscfiles_read_localization(radvd_t) - -userdom_dontaudit_use_unpriv_user_fds(radvd_t) -userdom_dontaudit_search_user_home_dirs(radvd_t) - -optional_policy(` - seutil_sigchld_newrole(radvd_t) -') - -optional_policy(` - udev_read_db(radvd_t) -') diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc deleted file mode 100644 index 1efba0c0d..000000000 --- a/policy/modules/services/razor.fc +++ /dev/null @@ -1,8 +0,0 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) - -/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) - -/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) - -/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) -/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if deleted file mode 100644 index f04a5950b..000000000 --- a/policy/modules/services/razor.if +++ /dev/null @@ -1,159 +0,0 @@ -## A distributed, collaborative, spam detection and filtering network. -## -##

-## A distributed, collaborative, spam detection and filtering network. -##

-##

-## This policy will work with either the ATrpms provided config -## file in /etc/razor, or with the default of dumping everything into -## $HOME/.razor. -##

-## - -####################################### -## -## Template to create types and rules common to -## all razor domains. -## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`razor_common_domain_template',` - gen_require(` - type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; - ') - type $1_t; - domain_type($1_t) - domain_entry_file($1_t, razor_exec_t) - - allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:unix_dgram_socket sendto; - allow $1_t self:unix_stream_socket connectto; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:tcp_socket create_socket_perms; - - # Read system config file - allow $1_t razor_etc_t:dir list_dir_perms; - allow $1_t razor_etc_t:file read_file_perms; - allow $1_t razor_etc_t:lnk_file { getattr read }; - - manage_dirs_pattern($1_t, razor_log_t, razor_log_t) - manage_files_pattern($1_t, razor_log_t, razor_log_t) - manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t) - logging_log_filetrans($1_t, razor_log_t, file) - - manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t) - manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) - manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) - files_search_var_lib($1_t) - - # Razor is one executable and several symlinks - allow $1_t razor_exec_t:file read_file_perms; - allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; - - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) - kernel_read_kernel_sysctls($1_t) - - corecmd_exec_bin($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_raw_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_raw_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_razor_port($1_t) - - # mktemp and other randoms - dev_read_rand($1_t) - dev_read_urand($1_t) - - files_search_pids($1_t) - # Allow access to various files in the /etc/directory including mtab - # and nsswitch - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - - fs_search_auto_mountpoints($1_t) - - libs_read_lib_files($1_t) - - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - sysnet_dns_name_resolve($1_t) - - optional_policy(` - nis_use_ypbind($1_t) - ') -') - -######################################## -## -## Role access for razor -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`razor_role',` - gen_require(` - type razor_t, razor_exec_t, razor_home_t; - ') - - role $1 types razor_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, razor_exec_t, razor_t) - - # allow ps to show razor and allow the user to kill it - ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; - - manage_dirs_pattern($2, razor_home_t, razor_home_t) - manage_files_pattern($2, razor_home_t, razor_home_t) - manage_lnk_files_pattern($2, razor_home_t, razor_home_t) - relabel_dirs_pattern($2, razor_home_t, razor_home_t) - relabel_files_pattern($2, razor_home_t, razor_home_t) - relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) -') - -######################################## -## -## Execute razor in the system razor domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`razor_domtrans',` - gen_require(` - type razor_t, razor_exec_t; - ') - - domtrans_pattern($1, razor_exec_t, razor_t) -') diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te deleted file mode 100644 index 852840b23..000000000 --- a/policy/modules/services/razor.te +++ /dev/null @@ -1,122 +0,0 @@ -policy_module(razor, 2.2.0) - -######################################## -# -# Declarations -# - -type razor_exec_t; -corecmd_executable_file(razor_exec_t) - -type razor_etc_t; -files_config_file(razor_etc_t) - -type razor_home_t; -typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -userdom_user_home_content(razor_home_t) - -type razor_log_t; -logging_log_file(razor_log_t) - -type razor_tmp_t; -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -files_tmp_file(razor_tmp_t) -ubac_constrained(razor_tmp_t) - -type razor_var_lib_t; -files_type(razor_var_lib_t) - -# these are here due to ordering issues: -razor_common_domain_template(razor) -typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; -typealias razor_t alias { auditadm_razor_t secadm_razor_t }; -ubac_constrained(razor_t) - -razor_common_domain_template(system_razor) -role system_r types system_razor_t; - -######################################## -# -# System razor local policy -# - -# this version of razor is invoked typically -# via the system spam filter - -allow system_razor_t self:tcp_socket create_socket_perms; - -manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -files_search_etc(system_razor_t) - -allow system_razor_t razor_log_t:file manage_file_perms; -logging_log_filetrans(system_razor_t, razor_log_t, file) - -manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) -files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) - -corenet_all_recvfrom_unlabeled(system_razor_t) -corenet_all_recvfrom_netlabel(system_razor_t) -corenet_tcp_sendrecv_generic_if(system_razor_t) -corenet_raw_sendrecv_generic_if(system_razor_t) -corenet_tcp_sendrecv_generic_node(system_razor_t) -corenet_raw_sendrecv_generic_node(system_razor_t) -corenet_tcp_sendrecv_razor_port(system_razor_t) -corenet_tcp_connect_razor_port(system_razor_t) -corenet_sendrecv_razor_client_packets(system_razor_t) - -sysnet_read_config(system_razor_t) - -# cjp: this shouldn't be needed -userdom_use_unpriv_users_fds(system_razor_t) - -optional_policy(` - logging_send_syslog_msg(system_razor_t) -') - -optional_policy(` - nscd_socket_use(system_razor_t) -') - -######################################## -# -# User razor local policy -# - -# Allow razor to be run by hand. Needed by any action other than -# invocation from a spam filter. - -allow razor_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) -manage_files_pattern(razor_t, razor_home_t, razor_home_t) -manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) -userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) - -manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) -manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) -files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) - -logging_send_syslog_msg(razor_t) - -userdom_search_user_home_dirs(razor_t) -userdom_use_user_terminals(razor_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(razor_t) - fs_manage_nfs_files(razor_t) - fs_manage_nfs_symlinks(razor_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(razor_t) - fs_manage_cifs_files(razor_t) - fs_manage_cifs_symlinks(razor_t) -') - -optional_policy(` - nscd_socket_use(razor_t) -') diff --git a/policy/modules/services/rdisc.fc b/policy/modules/services/rdisc.fc deleted file mode 100644 index dee4adcdb..000000000 --- a/policy/modules/services/rdisc.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/policy/modules/services/rdisc.if b/policy/modules/services/rdisc.if deleted file mode 100644 index fe24d25d2..000000000 --- a/policy/modules/services/rdisc.if +++ /dev/null @@ -1,20 +0,0 @@ -## Network router discovery daemon - -###################################### -## -## Execute rdisc in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rdisc_exec',` - gen_require(` - type rdisc_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rdisc_exec_t) -') diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te deleted file mode 100644 index 0f076850b..000000000 --- a/policy/modules/services/rdisc.te +++ /dev/null @@ -1,58 +0,0 @@ -policy_module(rdisc, 1.8.0) - -######################################## -# -# Declarations -# - -type rdisc_t; -type rdisc_exec_t; -init_daemon_domain(rdisc_t, rdisc_exec_t) - -######################################## -# -# Local policy -# - -allow rdisc_t self:capability net_raw; -dontaudit rdisc_t self:capability sys_tty_config; -allow rdisc_t self:process signal_perms; -allow rdisc_t self:unix_stream_socket create_stream_socket_perms; -allow rdisc_t self:udp_socket create_socket_perms; -allow rdisc_t self:rawip_socket create_socket_perms; - -kernel_list_proc(rdisc_t) -kernel_read_proc_symlinks(rdisc_t) -kernel_read_kernel_sysctls(rdisc_t) - -corenet_all_recvfrom_unlabeled(rdisc_t) -corenet_all_recvfrom_netlabel(rdisc_t) -corenet_udp_sendrecv_generic_if(rdisc_t) -corenet_raw_sendrecv_generic_if(rdisc_t) -corenet_udp_sendrecv_generic_node(rdisc_t) -corenet_raw_sendrecv_generic_node(rdisc_t) -corenet_udp_sendrecv_all_ports(rdisc_t) - -dev_read_sysfs(rdisc_t) - -fs_search_auto_mountpoints(rdisc_t) - -domain_use_interactive_fds(rdisc_t) - -files_read_etc_files(rdisc_t) - -logging_send_syslog_msg(rdisc_t) - -miscfiles_read_localization(rdisc_t) - -sysnet_read_config(rdisc_t) - -userdom_dontaudit_use_unpriv_user_fds(rdisc_t) - -optional_policy(` - seutil_sigchld_newrole(rdisc_t) -') - -optional_policy(` - udev_read_db(rdisc_t) -') diff --git a/policy/modules/services/remotelogin.fc b/policy/modules/services/remotelogin.fc deleted file mode 100644 index d8691bd14..000000000 --- a/policy/modules/services/remotelogin.fc +++ /dev/null @@ -1,2 +0,0 @@ - -# Remote login currently has no file contexts. diff --git a/policy/modules/services/remotelogin.if b/policy/modules/services/remotelogin.if deleted file mode 100644 index 31be9714e..000000000 --- a/policy/modules/services/remotelogin.if +++ /dev/null @@ -1,37 +0,0 @@ -## Policy for rshd, rlogind, and telnetd. - -######################################## -## -## Domain transition to the remote login domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`remotelogin_domtrans',` - gen_require(` - type remote_login_t; - ') - - auth_domtrans_login_program($1, remote_login_t) -') - -######################################## -## -## allow Domain to signal remote login domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`remotelogin_signal',` - gen_require(` - type remote_login_t; - ') - - allow $1 remote_login_t:process signal; -') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te deleted file mode 100644 index 0a7602735..000000000 --- a/policy/modules/services/remotelogin.te +++ /dev/null @@ -1,123 +0,0 @@ -policy_module(remotelogin, 1.7.0) - -######################################## -# -# Declarations -# - -type remote_login_t; -domain_interactive_fd(remote_login_t) -auth_login_pgm_domain(remote_login_t) -auth_login_entry_type(remote_login_t) - -type remote_login_tmp_t; -files_tmp_file(remote_login_tmp_t) - -######################################## -# -# Remote login remote policy -# - -allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow remote_login_t self:process { setrlimit setexec }; -allow remote_login_t self:fd use; -allow remote_login_t self:fifo_file rw_fifo_file_perms; -allow remote_login_t self:sock_file read_sock_file_perms; -allow remote_login_t self:unix_dgram_socket create_socket_perms; -allow remote_login_t self:unix_stream_socket create_stream_socket_perms; -allow remote_login_t self:unix_dgram_socket sendto; -allow remote_login_t self:unix_stream_socket connectto; -allow remote_login_t self:shm create_shm_perms; -allow remote_login_t self:sem create_sem_perms; -allow remote_login_t self:msgq create_msgq_perms; -allow remote_login_t self:msg { send receive }; -allow remote_login_t self:key write; - -manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) - -kernel_read_system_state(remote_login_t) -kernel_read_kernel_sysctls(remote_login_t) - -dev_getattr_mouse_dev(remote_login_t) -dev_setattr_mouse_dev(remote_login_t) -dev_dontaudit_search_sysfs(remote_login_t) - -fs_getattr_xattr_fs(remote_login_t) -fs_search_auto_mountpoints(remote_login_t) - -term_relabel_all_ptys(remote_login_t) - -auth_rw_login_records(remote_login_t) -auth_rw_faillog(remote_login_t) -auth_manage_pam_console_data(remote_login_t) -auth_domtrans_pam_console(remote_login_t) - -corecmd_list_bin(remote_login_t) -corecmd_read_bin_symlinks(remote_login_t) -# cjp: these are probably not needed: -corecmd_read_bin_files(remote_login_t) -corecmd_read_bin_pipes(remote_login_t) -corecmd_read_bin_sockets(remote_login_t) - -domain_read_all_entry_files(remote_login_t) - -files_read_etc_files(remote_login_t) -files_read_etc_runtime_files(remote_login_t) -files_list_home(remote_login_t) -files_read_usr_files(remote_login_t) -files_list_world_readable(remote_login_t) -files_read_world_readable_files(remote_login_t) -files_read_world_readable_symlinks(remote_login_t) -files_read_world_readable_pipes(remote_login_t) -files_read_world_readable_sockets(remote_login_t) -files_list_mnt(remote_login_t) -# for when /var/mail is a sym-link -files_read_var_symlinks(remote_login_t) - -sysnet_dns_name_resolve(remote_login_t) - -miscfiles_read_localization(remote_login_t) - -userdom_use_unpriv_users_fds(remote_login_t) -userdom_search_user_home_content(remote_login_t) -# Only permit unprivileged user domains to be entered via rlogin, -# since very weak authentication is used. -userdom_signal_unpriv_users(remote_login_t) -userdom_spec_domtrans_unpriv_users(remote_login_t) - -# Search for mail spool file. -mta_getattr_spool(remote_login_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(remote_login_t) - fs_read_nfs_symlinks(remote_login_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(remote_login_t) - fs_read_cifs_symlinks(remote_login_t) -') - -optional_policy(` - alsa_domtrans(remote_login_t) -') - -optional_policy(` - nis_use_ypbind(remote_login_t) -') - -optional_policy(` - nscd_socket_use(remote_login_t) -') - -optional_policy(` - unconfined_domain(remote_login_t) - unconfined_shell_domtrans(remote_login_t) -') - -optional_policy(` - usermanage_read_crack_db(remote_login_t) -') diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc deleted file mode 100644 index af810b94e..000000000 --- a/policy/modules/services/resmgr.fc +++ /dev/null @@ -1,7 +0,0 @@ - -/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0) - -/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) - -/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) -/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if deleted file mode 100644 index d457736d5..000000000 --- a/policy/modules/services/resmgr.if +++ /dev/null @@ -1,22 +0,0 @@ -## Resource management daemon - -######################################## -## -## Connect to resmgrd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`resmgr_stream_connect',` - gen_require(` - type resmgrd_var_run_t, resmgrd_t; - ') - - allow $1 resmgrd_t:unix_stream_socket connectto; - allow $1 resmgrd_var_run_t:sock_file { getattr write }; - files_search_pids($1) -') diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te deleted file mode 100644 index bf5efbff1..000000000 --- a/policy/modules/services/resmgr.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(resmgr, 1.2.0) - -######################################## -# -# Declarations -# - -type resmgrd_t; -type resmgrd_exec_t; -init_daemon_domain(resmgrd_t, resmgrd_exec_t) - -type resmgrd_etc_t; -files_config_file(resmgrd_etc_t) - -type resmgrd_var_run_t; -files_pid_file(resmgrd_var_run_t) - -######################################## -# -# Local policy -# - -allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; -dontaudit resmgrd_t self:capability sys_tty_config; -allow resmgrd_t self:process signal_perms; - -allow resmgrd_t resmgrd_etc_t:file read_file_perms; -files_search_etc(resmgrd_t) - -allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; -allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file }) - -kernel_list_proc(resmgrd_t) -kernel_read_proc_symlinks(resmgrd_t) -kernel_read_kernel_sysctls(resmgrd_t) - -dev_read_sysfs(resmgrd_t) -dev_getattr_scanner_dev(resmgrd_t) - -domain_use_interactive_fds(resmgrd_t) - -files_read_etc_files(resmgrd_t) - -fs_search_auto_mountpoints(resmgrd_t) - -storage_dontaudit_read_fixed_disk(resmgrd_t) -storage_read_scsi_generic(resmgrd_t) -storage_raw_read_removable_device(resmgrd_t) -# not sure if it needs write access, needs to be investigated further... -storage_write_scsi_generic(resmgrd_t) -storage_raw_write_removable_device(resmgrd_t) - -logging_send_syslog_msg(resmgrd_t) - -miscfiles_read_localization(resmgrd_t) - -userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) - -optional_policy(` - seutil_sigchld_newrole(resmgrd_t) -') - -optional_policy(` - udev_read_db(resmgrd_t) -') diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc deleted file mode 100644 index 3c97ef04d..000000000 --- a/policy/modules/services/rgmanager.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - -/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) - -/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) - -/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if deleted file mode 100644 index 7dc38d152..000000000 --- a/policy/modules/services/rgmanager.if +++ /dev/null @@ -1,77 +0,0 @@ -## rgmanager - Resource Group Manager - -####################################### -## -## Execute a domain transition to run rgmanager. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rgmanager_domtrans',` - gen_require(` - type rgmanager_t, rgmanager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) -') - -######################################## -## -## Connect to rgmanager over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_stream_connect',` - gen_require(` - type rgmanager_t, rgmanager_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) -') - -###################################### -## -## Allow manage rgmanager tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_manage_tmp_files',` - gen_require(` - type rgmanager_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) -') - -###################################### -## -## Allow manage rgmanager tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_manage_tmpfs_files',` - gen_require(` - type rgmanager_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te deleted file mode 100644 index c53700093..000000000 --- a/policy/modules/services/rgmanager.te +++ /dev/null @@ -1,202 +0,0 @@ -policy_module(rgmanager, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow rgmanager domain to connect to the network using TCP. -##

-## -gen_tunable(rgmanager_can_network_connect, false) - -type rgmanager_t; -type rgmanager_exec_t; -domain_type(rgmanager_t) -init_daemon_domain(rgmanager_t, rgmanager_exec_t) - -type rgmanager_tmp_t; -files_tmp_file(rgmanager_tmp_t) - -type rgmanager_tmpfs_t; -files_tmpfs_file(rgmanager_tmpfs_t) - -type rgmanager_var_log_t; -logging_log_file(rgmanager_var_log_t) - -type rgmanager_var_run_t; -files_pid_file(rgmanager_var_run_t) - -######################################## -# -# rgmanager local policy -# - -allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; -dontaudit rgmanager_t self:capability { sys_ptrace }; -allow rgmanager_t self:process { setsched signal }; -dontaudit rgmanager_t self:process { ptrace }; - -allow rgmanager_t self:fifo_file rw_fifo_file_perms; -allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; -allow rgmanager_t self:unix_dgram_socket create_socket_perms; -allow rgmanager_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) -manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) -files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) - -manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) -fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) - -manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) -logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) - -manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(rgmanager_t) -kernel_read_system_state(rgmanager_t) -kernel_rw_rpc_sysctls(rgmanager_t) -kernel_search_debugfs(rgmanager_t) -kernel_search_network_state(rgmanager_t) - -corecmd_exec_bin(rgmanager_t) -corecmd_exec_shell(rgmanager_t) -consoletype_exec(rgmanager_t) - -# need to write to /dev/misc/dlm-control -dev_rw_dlm_control(rgmanager_t) -dev_setattr_dlm_control(rgmanager_t) -dev_search_sysfs(rgmanager_t) - -domain_read_all_domains_state(rgmanager_t) -domain_getattr_all_domains(rgmanager_t) -domain_dontaudit_ptrace_all_domains(rgmanager_t) - -files_list_all(rgmanager_t) -files_getattr_all_symlinks(rgmanager_t) -files_manage_mnt_dirs(rgmanager_t) -files_manage_isid_type_dirs(rgmanager_t) - -fs_getattr_xattr_fs(rgmanager_t) -fs_getattr_all_fs(rgmanager_t) - -storage_getattr_fixed_disk_dev(rgmanager_t) - -term_getattr_pty_fs(rgmanager_t) -#term_use_ptmx(rgmanager_t) - -# needed by resources scripts -auth_read_all_files_except_auth_files(rgmanager_t) -auth_dontaudit_getattr_shadow(rgmanager_t) -auth_use_nsswitch(rgmanager_t) - -logging_send_syslog_msg(rgmanager_t) - -miscfiles_read_localization(rgmanager_t) - -mount_domtrans(rgmanager_t) - -tunable_policy(`rgmanager_can_network_connect',` - corenet_tcp_connect_all_ports(rgmanager_t) -') - -# rgmanager can run resource scripts -optional_policy(` - aisexec_stream_connect(rgmanager_t) - corosync_stream_connect(rgmanager_t) -') - -optional_policy(` - apache_domtrans(rgmanager_t) - apache_signal(rgmanager_t) -') - -optional_policy(` - fstools_domtrans(rgmanager_t) -') - -optional_policy(` - rhcs_stream_connect_groupd(rgmanager_t) -') - -optional_policy(` - hostname_exec(rgmanager_t) -') - -optional_policy(` - ccs_manage_config(rgmanager_t) - ccs_stream_connect(rgmanager_t) - rhcs_stream_connect_gfs_controld(rgmanager_t) -') - -optional_policy(` - lvm_domtrans(rgmanager_t) -') - -optional_policy(` - mysql_domtrans_mysql_safe(rgmanager_t) - mysql_stream_connect(rgmanager_t) -') - -optional_policy(` - netutils_domtrans(rgmanager_t) - netutils_domtrans_ping(rgmanager_t) -') - -optional_policy(` - postgresql_domtrans(rgmanager_t) - postgresql_signal(rgmanager_t) -') - -optional_policy(` - rdisc_exec(rgmanager_t) -') - -optional_policy(` - ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) -') - -optional_policy(` - rpc_initrc_domtrans_nfsd(rgmanager_t) - rpc_initrc_domtrans_rpcd(rgmanager_t) - - rpc_domtrans_nfsd(rgmanager_t) - rpc_domtrans_rpcd(rgmanager_t) - rpc_manage_nfs_state_data(rgmanager_t) -') - -optional_policy(` - samba_initrc_domtrans(rgmanager_t) - samba_domtrans_smbd(rgmanager_t) - samba_domtrans_nmbd(rgmanager_t) - samba_manage_var_files(rgmanager_t) - samba_rw_config(rgmanager_t) - samba_signal_smbd(rgmanager_t) - samba_signal_nmbd(rgmanager_t) -') - -optional_policy(` - sysnet_domtrans_ifconfig(rgmanager_t) -') - -optional_policy(` - udev_read_db(rgmanager_t) -') - -optional_policy(` - virt_stream_connect(rgmanager_t) -') - -optional_policy(` - unconfined_domain(rgmanager_t) -') - -optional_policy(` - xen_domtrans_xm(rgmanager_t) -') diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc deleted file mode 100644 index c2ba53b30..000000000 --- a/policy/modules/services/rhcs.fc +++ /dev/null @@ -1,22 +0,0 @@ -/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) -/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) -/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) -/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) - -/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) - -/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) - -/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) -/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) -/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) -/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) - -/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) -/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) -/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if deleted file mode 100644 index de37806c6..000000000 --- a/policy/modules/services/rhcs.if +++ /dev/null @@ -1,355 +0,0 @@ -## RHCS - Red Hat Cluster Suite - -####################################### -## -## Creates types and rules for a basic -## rhcs init daemon domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`rhcs_domain_template',` - gen_require(` - attribute cluster_domain; - ') - - ############################## - # - # Declarations - # - - type $1_t, cluster_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - type $1_tmpfs_t; - files_tmpfs_file($1_tmpfs_t) - - type $1_var_log_t; - logging_log_file($1_var_log_t) - - type $1_var_run_t; - files_pid_file($1_var_run_t) - - ############################## - # - # Local policy - # - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) - - manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - logging_log_filetrans($1_t, $1_var_log_t, { file sock_file }) - - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) - -') - -###################################### -## -## Execute a domain transition to run dlm_controld. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_dlm_controld',` - gen_require(` - type dlm_controld_t, dlm_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) -') - -##################################### -## -## Connect to dlm_controld over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_dlm_controld',` - gen_require(` - type dlm_controld_t, dlm_controld_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -') - -##################################### -## -## Allow read and write access to dlm_controld semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_dlm_controld_semaphores',` - gen_require(` - type dlm_controld_t, dlm_controld_tmpfs_t; - ') - - allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -') - -###################################### -## -## Execute a domain transition to run fenced. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_fenced',` - gen_require(` - type fenced_t, fenced_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fenced_exec_t, fenced_t) -') - -###################################### -## -## Allow read and write access to fenced semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_fenced_semaphores',` - gen_require(` - type fenced_t, fenced_tmpfs_t; - ') - - allow $1 fenced_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) -') - -###################################### -## -## Connect to fenced over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_fenced',` - gen_require(` - type fenced_var_run_t, fenced_t; - ') - - allow $1 fenced_t:unix_stream_socket connectto; - allow $1 fenced_var_run_t:sock_file { getattr write }; - files_search_pids($1) -') - -##################################### -## -## Execute a domain transition to run gfs_controld. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_gfs_controld',` - gen_require(` - type gfs_controld_t, gfs_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) -') - -#################################### -## -## Allow read and write access to gfs_controld semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_gfs_controld_semaphores',` - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -') - -######################################## -## -## Read and write to gfs_controld_t shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_gfs_controld_shm',` - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -') - -##################################### -## -## Connect to gfs_controld_t over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_gfs_controld',` - gen_require(` - type gfs_controld_t, gfs_controld_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) -') - -###################################### -## -## Execute a domain transition to run groupd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_groupd',` - gen_require(` - type groupd_t, groupd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, groupd_exec_t, groupd_t) -') - -##################################### -## -## Connect to groupd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_stream_connect_groupd',` - gen_require(` - type groupd_t, groupd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) -') - -##################################### -## -## Allow read and write access to groupd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_groupd_semaphores',` - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -') - -######################################## -## -## Read and write to group shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhcs_rw_groupd_shm',` - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -') - -###################################### -## -## Execute a domain transition to run qdiskd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rhcs_domtrans_qdiskd',` - gen_require(` - type qdiskd_t, qdiskd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) -') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te deleted file mode 100644 index 93c896a8d..000000000 --- a/policy/modules/services/rhcs.te +++ /dev/null @@ -1,240 +0,0 @@ -policy_module(rhcs, 1.1.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow fenced domain to connect to the network using TCP. -##

-## -gen_tunable(fenced_can_network_connect, false) - -attribute cluster_domain; - -rhcs_domain_template(dlm_controld) - -rhcs_domain_template(fenced) - -type fenced_lock_t; -files_lock_file(fenced_lock_t) - -type fenced_tmp_t; -files_tmp_file(fenced_tmp_t) - -rhcs_domain_template(gfs_controld) - -rhcs_domain_template(groupd) - -rhcs_domain_template(qdiskd) - -type qdiskd_var_lib_t; -files_type(qdiskd_var_lib_t) - -##################################### -# -# dlm_controld local policy -# - -allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; - -allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - -stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -kernel_read_system_state(dlm_controld_t) - -dev_rw_dlm_control(dlm_controld_t) -dev_rw_sysfs(dlm_controld_t) - -fs_manage_configfs_files(dlm_controld_t) -fs_manage_configfs_dirs(dlm_controld_t) - -init_rw_script_tmp_files(dlm_controld_t) - -optional_policy(` - ccs_stream_connect(dlm_controld_t) -') - -####################################### -# -# fenced local policy -# - -allow fenced_t self:capability { sys_rawio sys_resource }; -allow fenced_t self:process getsched; - -allow fenced_t self:tcp_socket create_stream_socket_perms; -allow fenced_t self:udp_socket create_socket_perms; - -can_exec(fenced_t, fenced_exec_t) - -manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) -files_lock_filetrans(fenced_t, fenced_lock_t, file) - -manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) - -stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -corecmd_exec_bin(fenced_t) - -corenet_tcp_connect_http_port(fenced_t) - -dev_read_sysfs(fenced_t) -dev_read_urand(fenced_t) - -files_read_usr_symlinks(fenced_t) - -storage_raw_read_fixed_disk(fenced_t) -storage_raw_write_fixed_disk(fenced_t) -storage_raw_read_removable_device(fenced_t) - -term_getattr_pty_fs(fenced_t) -term_use_ptmx(fenced_t) - -auth_use_nsswitch(fenced_t) - -tunable_policy(`fenced_can_network_connect',` - corenet_tcp_connect_all_ports(fenced_t) -') - -optional_policy(` - ccs_read_config(fenced_t) - ccs_stream_connect(fenced_t) -') - -optional_policy(` - lvm_domtrans(fenced_t) - lvm_read_config(fenced_t) -') - -###################################### -# -# gfs_controld local policy -# - -allow gfs_controld_t self:capability { net_admin sys_resource }; - -allow gfs_controld_t self:shm create_shm_perms; -allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - -stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - -kernel_read_system_state(gfs_controld_t) - -dev_rw_dlm_control(gfs_controld_t) -dev_setattr_dlm_control(gfs_controld_t) -dev_rw_sysfs(gfs_controld_t) - -storage_getattr_removable_dev(gfs_controld_t) - -init_rw_script_tmp_files(gfs_controld_t) - -optional_policy(` - ccs_stream_connect(gfs_controld_t) -') - -optional_policy(` - lvm_exec(gfs_controld_t) - dev_rw_lvm_control(gfs_controld_t) -') - -####################################### -# -# groupd local policy -# - -allow groupd_t self:capability { sys_nice sys_resource }; -allow groupd_t self:process setsched; - -allow groupd_t self:shm create_shm_perms; - -dev_list_sysfs(groupd_t) - -files_read_etc_files(groupd_t) - -init_rw_script_tmp_files(groupd_t) - -###################################### -# -# qdiskd local policy -# - -allow qdiskd_t self:capability ipc_lock; - -allow qdiskd_t self:tcp_socket create_stream_socket_perms; -allow qdiskd_t self:udp_socket create_socket_perms; - -manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) -files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) - -kernel_read_system_state(qdiskd_t) -kernel_read_software_raid_state(qdiskd_t) -kernel_getattr_core_if(qdiskd_t) - -corecmd_getattr_bin_files(qdiskd_t) -corecmd_exec_shell(qdiskd_t) - -dev_read_sysfs(qdiskd_t) -dev_list_all_dev_nodes(qdiskd_t) -dev_getattr_all_blk_files(qdiskd_t) -dev_getattr_all_chr_files(qdiskd_t) -dev_manage_generic_blk_files(qdiskd_t) -dev_manage_generic_chr_files(qdiskd_t) - -domain_dontaudit_getattr_all_pipes(qdiskd_t) -domain_dontaudit_getattr_all_sockets(qdiskd_t) - -files_dontaudit_getattr_all_sockets(qdiskd_t) -files_dontaudit_getattr_all_pipes(qdiskd_t) -files_read_etc_files(qdiskd_t) - -storage_raw_read_removable_device(qdiskd_t) -storage_raw_write_removable_device(qdiskd_t) -storage_raw_read_fixed_disk(qdiskd_t) -storage_raw_write_fixed_disk(qdiskd_t) - -auth_use_nsswitch(qdiskd_t) - -optional_policy(` - ccs_stream_connect(qdiskd_t) -') - -optional_policy(` - netutils_domtrans_ping(qdiskd_t) -') - -optional_policy(` - udev_read_db(qdiskd_t) -') - -##################################### -# -# rhcs domains common policy -# - -allow cluster_domain self:capability { sys_nice }; -allow cluster_domain self:process setsched; - -allow cluster_domain self:sem create_sem_perms; -allow cluster_domain self:fifo_file rw_fifo_file_perms; -allow cluster_domain self:unix_stream_socket create_stream_socket_perms; -allow cluster_domain self:unix_dgram_socket create_socket_perms; - -logging_send_syslog_msg(cluster_domain) - -miscfiles_read_localization(cluster_domain) - -optional_policy(` - corosync_stream_connect(cluster_domain) -') diff --git a/policy/modules/services/rhgb.fc b/policy/modules/services/rhgb.fc deleted file mode 100644 index 9e5d31b56..000000000 --- a/policy/modules/services/rhgb.fc +++ /dev/null @@ -1,4 +0,0 @@ -# -# /usr -# -/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0) diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if deleted file mode 100644 index 96efae7fc..000000000 --- a/policy/modules/services/rhgb.if +++ /dev/null @@ -1,198 +0,0 @@ -## Red Hat Graphical Boot - -######################################## -## -## RHGB stub interface. No access allowed. -## -## -## -## N/A -## -## -# -interface(`rhgb_stub',` - gen_require(` - type rhgb_t; - ') -') - -######################################## -## -## Use a rhgb file descriptor. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_use_fds',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:fd use; -') - -######################################## -## -## Get the process group of rhgb. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_getpgid',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process getpgid; -') - -######################################## -## -## Send a signal to rhgb. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_signal',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process signal; -') - -######################################## -## -## Read and write to unix stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_rw_stream_sockets',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:unix_stream_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read and write -## rhgb unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`rhgb_dontaudit_rw_stream_sockets',` - gen_require(` - type rhgb_t; - ') - - dontaudit $1 rhgb_t:unix_stream_socket { read write }; -') - -######################################## -## -## Connected to rhgb unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_stream_connect',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:unix_stream_socket connectto; -') - -######################################## -## -## Read and write to rhgb shared memory. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_rw_shm',` - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:shm rw_shm_perms; -') - -######################################## -## -## Read from and write to the rhgb devpts. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_use_ptys',` - gen_require(` - type rhgb_devpts_t; - ') - - allow $1 rhgb_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## dontaudit Read from and write to the rhgb devpts. -## -## -## -## Domain to not audit. -## -## -# -interface(`rhgb_dontaudit_use_ptys',` - gen_require(` - type rhgb_devpts_t; - ') - - dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Read and write to rhgb temporary file system. -## -## -## -## Domain allowed access. -## -## -# -interface(`rhgb_rw_tmpfs_files',` - gen_require(` - type rhgb_tmpfs_t; - ') - - allow $1 rhgb_tmpfs_t:file rw_file_perms; -') diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te deleted file mode 100644 index 0f262a7d0..000000000 --- a/policy/modules/services/rhgb.te +++ /dev/null @@ -1,142 +0,0 @@ -policy_module(rhgb, 1.9.0) - -######################################## -# -# Declarations -# - -type rhgb_t; -type rhgb_exec_t; -init_daemon_domain(rhgb_t, rhgb_exec_t) - -type rhgb_tmpfs_t; -files_tmpfs_file(rhgb_tmpfs_t) - -type rhgb_devpts_t; -term_pty(rhgb_devpts_t) - -######################################## -# -# Local policy -# - -allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config }; -dontaudit rhgb_t self:capability sys_tty_config; -allow rhgb_t self:process { setpgid signal_perms }; -allow rhgb_t self:shm create_shm_perms; -allow rhgb_t self:unix_stream_socket create_stream_socket_perms; -allow rhgb_t self:fifo_file rw_fifo_file_perms; -allow rhgb_t self:tcp_socket create_socket_perms; -allow rhgb_t self:udp_socket create_socket_perms; -allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; - -allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(rhgb_t, rhgb_devpts_t) - -manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(rhgb_t) -kernel_read_system_state(rhgb_t) - -corecmd_exec_bin(rhgb_t) -corecmd_exec_shell(rhgb_t) - -corenet_all_recvfrom_unlabeled(rhgb_t) -corenet_all_recvfrom_netlabel(rhgb_t) -corenet_tcp_sendrecv_generic_if(rhgb_t) -corenet_udp_sendrecv_generic_if(rhgb_t) -corenet_tcp_sendrecv_generic_node(rhgb_t) -corenet_udp_sendrecv_generic_node(rhgb_t) -corenet_tcp_sendrecv_all_ports(rhgb_t) -corenet_udp_sendrecv_all_ports(rhgb_t) -corenet_tcp_connect_all_ports(rhgb_t) -corenet_sendrecv_all_client_packets(rhgb_t) - -dev_read_sysfs(rhgb_t) -dev_read_urand(rhgb_t) - -domain_use_interactive_fds(rhgb_t) - -files_read_etc_files(rhgb_t) -files_read_var_files(rhgb_t) -files_read_etc_runtime_files(rhgb_t) -files_search_tmp(rhgb_t) -files_read_usr_files(rhgb_t) -files_mounton_mnt(rhgb_t) -files_dontaudit_rw_root_dir(rhgb_t) -files_dontaudit_read_default_files(rhgb_t) -files_dontaudit_search_pids(rhgb_t) -# for nscd -files_dontaudit_search_var(rhgb_t) - -fs_search_auto_mountpoints(rhgb_t) -fs_mount_ramfs(rhgb_t) -fs_unmount_ramfs(rhgb_t) -fs_getattr_tmpfs(rhgb_t) -# for ramfs file systems -fs_manage_ramfs_dirs(rhgb_t) -fs_manage_ramfs_files(rhgb_t) -fs_manage_ramfs_pipes(rhgb_t) -fs_manage_ramfs_sockets(rhgb_t) - -selinux_dontaudit_read_fs(rhgb_t) - -term_use_unallocated_ttys(rhgb_t) -term_use_ptmx(rhgb_t) -term_getattr_pty_fs(rhgb_t) - -init_write_initctl(rhgb_t) - -# for localization -libs_read_lib_files(rhgb_t) - -logging_send_syslog_msg(rhgb_t) - -miscfiles_read_localization(rhgb_t) -miscfiles_read_fonts(rhgb_t) -miscfiles_dontaudit_write_fonts(rhgb_t) - -seutil_search_default_contexts(rhgb_t) -seutil_read_config(rhgb_t) - -sysnet_read_config(rhgb_t) -sysnet_domtrans_ifconfig(rhgb_t) - -userdom_dontaudit_use_unpriv_user_fds(rhgb_t) -userdom_dontaudit_search_user_home_content(rhgb_t) - -xserver_read_tmp_files(rhgb_t) -xserver_kill(rhgb_t) -# for running setxkbmap -xserver_read_xkb_libs(rhgb_t) -xserver_domtrans(rhgb_t) -xserver_signal(rhgb_t) -xserver_read_xdm_tmp_files(rhgb_t) -xserver_stream_connect(rhgb_t) - -optional_policy(` - consoletype_exec(rhgb_t) -') - -optional_policy(` - nis_use_ypbind(rhgb_t) -') - -optional_policy(` - seutil_sigchld_newrole(rhgb_t) -') - -optional_policy(` - udev_read_db(rhgb_t) -') - -ifdef(`TODO',` - #this seems a bit much - allow domain rhgb_devpts_t:chr_file { read write }; - allow initrc_t rhgb_gph_t:fd use; -') diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc deleted file mode 100644 index 5b08327f6..000000000 --- a/policy/modules/services/ricci.fc +++ /dev/null @@ -1,16 +0,0 @@ -/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) -/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) -/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) -/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0) -/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0) - -/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0) -/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0) - -/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0) - -/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) - -/var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if deleted file mode 100644 index f7826f94b..000000000 --- a/policy/modules/services/ricci.if +++ /dev/null @@ -1,167 +0,0 @@ -## Ricci cluster management agent - -######################################## -## -## Execute a domain transition to run ricci. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans',` - gen_require(` - type ricci_t, ricci_exec_t; - ') - - domtrans_pattern($1, ricci_exec_t, ricci_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modcluster. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modcluster',` - gen_require(` - type ricci_modcluster_t, ricci_modcluster_exec_t; - ') - - domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) -') - -######################################## -## -## Do not audit attempts to use -## ricci_modcluster file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`ricci_dontaudit_use_modcluster_fds',` - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fd use; -') - -######################################## -## -## Do not audit attempts to read write -## ricci_modcluster unamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`ricci_dontaudit_rw_modcluster_pipes',` - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; -') - -######################################## -## -## Connect to ricci_modclusterd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`ricci_stream_connect_modclusterd',` - gen_require(` - type ricci_modclusterd_t, ricci_modcluster_var_run_t; - ') - - files_search_pids($1) - allow $1 ricci_modcluster_var_run_t:sock_file write; - allow $1 ricci_modclusterd_t:unix_stream_socket connectto; -') - -######################################## -## -## Execute a domain transition to run ricci_modlog. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modlog',` - gen_require(` - type ricci_modlog_t, ricci_modlog_exec_t; - ') - - domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modrpm. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modrpm',` - gen_require(` - type ricci_modrpm_t, ricci_modrpm_exec_t; - ') - - domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modservice. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modservice',` - gen_require(` - type ricci_modservice_t, ricci_modservice_exec_t; - ') - - domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) -') - -######################################## -## -## Execute a domain transition to run ricci_modstorage. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ricci_domtrans_modstorage',` - gen_require(` - type ricci_modstorage_t, ricci_modstorage_exec_t; - ') - - domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) -') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te deleted file mode 100644 index 33e72e80f..000000000 --- a/policy/modules/services/ricci.te +++ /dev/null @@ -1,488 +0,0 @@ -policy_module(ricci, 1.7.0) - -######################################## -# -# Declarations -# - -type ricci_t; -type ricci_exec_t; -domain_type(ricci_t) -init_daemon_domain(ricci_t, ricci_exec_t) - -type ricci_tmp_t; -files_tmp_file(ricci_tmp_t) - -type ricci_var_lib_t; -files_type(ricci_var_lib_t) - -type ricci_var_log_t; -logging_log_file(ricci_var_log_t) - -type ricci_var_run_t; -files_pid_file(ricci_var_run_t) - -type ricci_modcluster_t; -type ricci_modcluster_exec_t; -domain_type(ricci_modcluster_t) -domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t) -role system_r types ricci_modcluster_t; - -type ricci_modcluster_var_lib_t; -files_type(ricci_modcluster_var_lib_t) - -type ricci_modcluster_var_log_t; -logging_log_file(ricci_modcluster_var_log_t) - -type ricci_modcluster_var_run_t; -files_pid_file(ricci_modcluster_var_run_t) - -type ricci_modclusterd_t; -type ricci_modclusterd_exec_t; -domain_type(ricci_modclusterd_t) -init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) - -type ricci_modlog_t; -type ricci_modlog_exec_t; -domain_type(ricci_modlog_t) -domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t) -role system_r types ricci_modlog_t; - -type ricci_modrpm_t; -type ricci_modrpm_exec_t; -domain_type(ricci_modrpm_t) -domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t) -role system_r types ricci_modrpm_t; - -type ricci_modservice_t; -type ricci_modservice_exec_t; -domain_type(ricci_modservice_t) -domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t) -role system_r types ricci_modservice_t; - -type ricci_modstorage_t; -type ricci_modstorage_exec_t; -domain_type(ricci_modstorage_t) -domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t) -role system_r types ricci_modstorage_t; - -type ricci_modstorage_lock_t; -files_lock_file(ricci_modstorage_lock_t) - -######################################## -# -# ricci local policy -# - -allow ricci_t self:capability { setuid sys_nice sys_boot }; -allow ricci_t self:process setsched; -allow ricci_t self:fifo_file rw_fifo_file_perms; -allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow ricci_t self:tcp_socket create_stream_socket_perms; - -domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t) -domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t) -domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t) -domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t) -domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t) - -manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) -manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) -files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) - -manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) -files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) - -allow ricci_t ricci_var_log_t:dir setattr; -manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) -logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) - -manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ricci_t) - -corecmd_exec_bin(ricci_t) - -corenet_all_recvfrom_unlabeled(ricci_t) -corenet_all_recvfrom_netlabel(ricci_t) -corenet_tcp_sendrecv_generic_if(ricci_t) -corenet_tcp_sendrecv_generic_node(ricci_t) -corenet_tcp_sendrecv_all_ports(ricci_t) -corenet_tcp_bind_generic_node(ricci_t) -corenet_udp_bind_generic_node(ricci_t) -corenet_tcp_bind_ricci_port(ricci_t) -corenet_udp_bind_ricci_port(ricci_t) -corenet_tcp_connect_http_port(ricci_t) - -dev_read_urand(ricci_t) - -domain_read_all_domains_state(ricci_t) - -files_read_etc_files(ricci_t) -files_read_etc_runtime_files(ricci_t) -files_create_boot_flag(ricci_t) - -auth_domtrans_chk_passwd(ricci_t) -auth_append_login_records(ricci_t) - -init_stream_connect_script(ricci_t) - -locallogin_dontaudit_use_fds(ricci_t) - -logging_send_syslog_msg(ricci_t) - -miscfiles_read_localization(ricci_t) - -sysnet_dns_name_resolve(ricci_t) - -optional_policy(` - ccs_read_config(ricci_t) -') - -optional_policy(` - dbus_system_bus_client(ricci_t) - - oddjob_dbus_chat(ricci_t) -') - -optional_policy(` - # Needed so oddjob can run halt/reboot on behalf of ricci - corecmd_bin_entry_type(ricci_t) - term_dontaudit_search_ptys(ricci_t) - init_exec(ricci_t) - init_telinit(ricci_t) - init_rw_utmp(ricci_t) - - oddjob_system_entry(ricci_t, ricci_exec_t) -') - -optional_policy(` - rpm_use_script_fds(ricci_t) -') - -optional_policy(` - sasl_connect(ricci_t) -') - -optional_policy(` - unconfined_use_fds(ricci_t) -') - -optional_policy(` - xen_domtrans_xm(ricci_t) -') - -######################################## -# -# ricci_modcluster local policy -# - -allow ricci_modcluster_t self:capability { net_bind_service sys_nice }; -allow ricci_modcluster_t self:process setsched; -allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modcluster_t) -kernel_read_system_state(ricci_modcluster_t) - -corecmd_exec_shell(ricci_modcluster_t) -corecmd_exec_bin(ricci_modcluster_t) - -corenet_tcp_bind_cluster_port(ricci_modclusterd_t) -corenet_tcp_bind_reserved_port(ricci_modclusterd_t) - -domain_read_all_domains_state(ricci_modcluster_t) - -files_search_locks(ricci_modcluster_t) -files_read_etc_runtime_files(ricci_modcluster_t) -files_read_etc_files(ricci_modcluster_t) -files_search_usr(ricci_modcluster_t) - -init_exec(ricci_modcluster_t) -init_domtrans_script(ricci_modcluster_t) - -logging_send_syslog_msg(ricci_modcluster_t) - -miscfiles_read_localization(ricci_modcluster_t) - -modutils_domtrans_insmod(ricci_modcluster_t) - -mount_domtrans(ricci_modcluster_t) - -consoletype_exec(ricci_modcluster_t) - -ricci_stream_connect_modclusterd(ricci_modcluster_t) - -optional_policy(` - aisexec_stream_connect(ricci_modcluster_t) - corosync_stream_connect(ricci_modcluster_t) -') - -optional_policy(` - ccs_stream_connect(ricci_modcluster_t) - ccs_domtrans(ricci_modcluster_t) - ccs_manage_config(ricci_modcluster_t) -') - -optional_policy(` - lvm_domtrans(ricci_modcluster_t) -') - -optional_policy(` - nscd_socket_use(ricci_modcluster_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t) -') - -optional_policy(` - # XXX This has got to go. - unconfined_domain(ricci_modcluster_t) -') - -######################################## -# -# ricci_modclusterd local policy -# - -allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config }; -allow ricci_modclusterd_t self:process { signal sigkill setsched }; -allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; -allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; -allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; -# cjp: this needs to be fixed for a specific socket type: -allow ricci_modclusterd_t self:socket create_socket_perms; - -allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; -allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; - -allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; -manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) - -manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(ricci_modclusterd_t) -kernel_read_system_state(ricci_modclusterd_t) - -corecmd_exec_bin(ricci_modclusterd_t) - -corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t) -corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t) -corenet_tcp_bind_generic_node(ricci_modclusterd_t) -corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) -corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) - -domain_read_all_domains_state(ricci_modclusterd_t) - -files_read_etc_files(ricci_modclusterd_t) -files_read_etc_runtime_files(ricci_modclusterd_t) - -fs_getattr_xattr_fs(ricci_modclusterd_t) - -auth_use_nsswitch(ricci_modclusterd_t) - -init_stream_connect_script(ricci_modclusterd_t) - -locallogin_dontaudit_use_fds(ricci_modclusterd_t) - -logging_send_syslog_msg(ricci_modclusterd_t) - -miscfiles_read_localization(ricci_modclusterd_t) - -sysnet_domtrans_ifconfig(ricci_modclusterd_t) - -optional_policy(` - aisexec_stream_connect(ricci_modclusterd_t) - corosync_stream_connect(ricci_modclusterd_t) -') - -optional_policy(` - ccs_domtrans(ricci_modclusterd_t) - ccs_stream_connect(ricci_modclusterd_t) - ccs_read_config(ricci_modclusterd_t) -') - -optional_policy(` - rgmanager_stream_connect(ricci_modclusterd_t) -') - -optional_policy(` - unconfined_use_fds(ricci_modclusterd_t) -') - -######################################## -# -# ricci_modlog local policy -# - -allow ricci_modlog_t self:capability sys_nice; -allow ricci_modlog_t self:process setsched; - -kernel_read_kernel_sysctls(ricci_modlog_t) -kernel_read_system_state(ricci_modlog_t) - -corecmd_exec_bin(ricci_modlog_t) - -domain_read_all_domains_state(ricci_modlog_t) - -files_read_etc_files(ricci_modlog_t) -files_search_usr(ricci_modlog_t) - -logging_read_generic_logs(ricci_modlog_t) - -miscfiles_read_localization(ricci_modlog_t) - -optional_policy(` - nscd_dontaudit_search_pid(ricci_modlog_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t) -') - -######################################## -# -# ricci_modrpm local policy -# - -allow ricci_modrpm_t self:fifo_file read_fifo_file_perms; - -kernel_read_kernel_sysctls(ricci_modrpm_t) - -corecmd_exec_bin(ricci_modrpm_t) - -files_search_usr(ricci_modrpm_t) -files_read_etc_files(ricci_modrpm_t) - -miscfiles_read_localization(ricci_modrpm_t) - -optional_policy(` - oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) -') - -optional_policy(` - rpm_domtrans(ricci_modrpm_t) -') - -######################################## -# -# ricci_modservice local policy -# - -allow ricci_modservice_t self:capability { dac_override sys_nice }; -allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; -allow ricci_modservice_t self:process setsched; - -kernel_read_kernel_sysctls(ricci_modservice_t) -kernel_read_system_state(ricci_modservice_t) - -corecmd_exec_bin(ricci_modservice_t) -corecmd_exec_shell(ricci_modservice_t) - -files_read_etc_files(ricci_modservice_t) -files_read_etc_runtime_files(ricci_modservice_t) -files_search_usr(ricci_modservice_t) -# Needed for running chkconfig -files_manage_etc_symlinks(ricci_modservice_t) - -consoletype_exec(ricci_modservice_t) - -init_domtrans_script(ricci_modservice_t) - -miscfiles_read_localization(ricci_modservice_t) - -optional_policy(` - ccs_read_config(ricci_modservice_t) -') - -optional_policy(` - nscd_dontaudit_search_pid(ricci_modservice_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t) -') - -######################################## -# -# ricci_modstorage local policy -# - -allow ricci_modstorage_t self:process { setsched signal }; -dontaudit ricci_modstorage_t self:process ptrace; -allow ricci_modstorage_t self:capability { mknod sys_nice }; -allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; -allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; - -kernel_read_kernel_sysctls(ricci_modstorage_t) -kernel_read_system_state(ricci_modstorage_t) - -create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t) -files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file) - -corecmd_exec_shell(ricci_modstorage_t) -corecmd_exec_bin(ricci_modstorage_t) - -dev_read_sysfs(ricci_modstorage_t) -dev_read_urand(ricci_modstorage_t) -dev_manage_generic_blk_files(ricci_modstorage_t) - -domain_read_all_domains_state(ricci_modstorage_t) - -#Needed for editing /etc/fstab -files_manage_etc_files(ricci_modstorage_t) -files_read_etc_runtime_files(ricci_modstorage_t) -files_read_usr_files(ricci_modstorage_t) -files_read_kernel_modules(ricci_modstorage_t) - -storage_raw_read_fixed_disk(ricci_modstorage_t) - -term_dontaudit_use_console(ricci_modstorage_t) - -fstools_domtrans(ricci_modstorage_t) - -logging_send_syslog_msg(ricci_modstorage_t) - -miscfiles_read_localization(ricci_modstorage_t) - -modutils_read_module_deps(ricci_modstorage_t) - -consoletype_exec(ricci_modstorage_t) - -mount_domtrans(ricci_modstorage_t) - -optional_policy(` - aisexec_stream_connect(ricci_modstorage_t) - corosync_stream_connect(ricci_modstorage_t) -') - -optional_policy(` - ccs_stream_connect(ricci_modstorage_t) - ccs_read_config(ricci_modstorage_t) -') - -optional_policy(` - lvm_domtrans(ricci_modstorage_t) - lvm_manage_config(ricci_modstorage_t) -') - -optional_policy(` - nscd_socket_use(ricci_modstorage_t) -') - -optional_policy(` - oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t) -') - -optional_policy(` - raid_domtrans_mdadm(ricci_modstorage_t) -') diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc deleted file mode 100644 index 27853373e..000000000 --- a/policy/modules/services/rlogin.fc +++ /dev/null @@ -1,7 +0,0 @@ -HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) - -/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) - -/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) - -/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if deleted file mode 100644 index 63e78c60b..000000000 --- a/policy/modules/services/rlogin.if +++ /dev/null @@ -1,47 +0,0 @@ -## Remote login daemon - -######################################## -## -## Execute rlogind in the rlogin domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rlogin_domtrans',` - gen_require(` - type rlogind_t, rlogind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rlogind_exec_t, rlogind_t) -') - -######################################## -## -## read rlogin homedir content (.config) -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -# -template(`rlogin_read_home_content',` - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) - read_files_pattern($1, rlogind_home_t, rlogind_home_t) - read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) -') diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te deleted file mode 100644 index 779fa445f..000000000 --- a/policy/modules/services/rlogin.te +++ /dev/null @@ -1,116 +0,0 @@ -policy_module(rlogin, 1.9.0) - -######################################## -# -# Declarations -# - -type rlogind_t; -type rlogind_exec_t; -inetd_service_domain(rlogind_t, rlogind_exec_t) -role system_r types rlogind_t; - -type rlogind_devpts_t; #, userpty_type; -term_login_pty(rlogind_devpts_t) - -type rlogind_home_t; -userdom_user_home_content(rlogind_home_t) - -type rlogind_tmp_t; -files_tmp_file(rlogind_tmp_t) - -type rlogind_var_run_t; -files_pid_file(rlogind_var_run_t) - -######################################## -# -# Local policy -# - -allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override }; -allow rlogind_t self:process signal_perms; -allow rlogind_t self:fifo_file rw_fifo_file_perms; -allow rlogind_t self:tcp_socket connected_stream_socket_perms; -# for identd; cjp: this should probably only be inetd_child rules? -allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow rlogind_t self:capability { setuid setgid }; - -allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(rlogind_t, rlogind_devpts_t) - -# for /usr/lib/telnetlogin -can_exec(rlogind_t, rlogind_exec_t) - -manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) - -manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) -files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) - -kernel_read_kernel_sysctls(rlogind_t) -kernel_read_system_state(rlogind_t) -kernel_read_network_state(rlogind_t) - -corenet_all_recvfrom_unlabeled(rlogind_t) -corenet_all_recvfrom_netlabel(rlogind_t) -corenet_tcp_sendrecv_generic_if(rlogind_t) -corenet_udp_sendrecv_generic_if(rlogind_t) -corenet_tcp_sendrecv_generic_node(rlogind_t) -corenet_udp_sendrecv_generic_node(rlogind_t) -corenet_tcp_sendrecv_all_ports(rlogind_t) -corenet_udp_sendrecv_all_ports(rlogind_t) - -dev_read_urand(rlogind_t) - -domain_interactive_fd(rlogind_t) - -fs_getattr_xattr_fs(rlogind_t) -fs_search_auto_mountpoints(rlogind_t) - -auth_domtrans_chk_passwd(rlogind_t) -auth_rw_login_records(rlogind_t) -auth_use_nsswitch(rlogind_t) - -files_read_etc_files(rlogind_t) -files_read_etc_runtime_files(rlogind_t) -files_search_home(rlogind_t) -files_search_default(rlogind_t) - -init_rw_utmp(rlogind_t) - -logging_send_syslog_msg(rlogind_t) - -miscfiles_read_localization(rlogind_t) - -seutil_read_config(rlogind_t) - -userdom_setattr_user_ptys(rlogind_t) -# cjp: this is egregious -userdom_read_user_home_content_files(rlogind_t) - -remotelogin_domtrans(rlogind_t) -remotelogin_signal(rlogind_t) - -rlogin_read_home_content(rlogind_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(rlogind_t) - fs_read_nfs_files(rlogind_t) - fs_read_nfs_symlinks(rlogind_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(rlogind_t) - fs_read_cifs_files(rlogind_t) - fs_read_cifs_symlinks(rlogind_t) -') - -optional_policy(` - kerberos_keytab_template(rlogind, rlogind_t) - kerberos_manage_host_rcache(rlogind_t) -') - -optional_policy(` - tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) -') diff --git a/policy/modules/services/roundup.fc b/policy/modules/services/roundup.fc deleted file mode 100644 index e4110e6e0..000000000 --- a/policy/modules/services/roundup.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) - -# -# /usr -# -/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0) - -# -# /var -# -/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if deleted file mode 100644 index 30c4b756e..000000000 --- a/policy/modules/services/roundup.if +++ /dev/null @@ -1,39 +0,0 @@ -## Roundup Issue Tracking System policy - -######################################## -## -## All of the rules required to administrate -## an roundup environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the roundup domain. -## -## -## -# -interface(`roundup_admin',` - gen_require(` - type roundup_t, roundup_var_lib_t, roundup_var_run_t; - type roundup_initrc_exec_t; - ') - - allow $1 roundup_t:process { ptrace signal_perms }; - ps_process_pattern($1, roundup_t) - - init_labeled_script_domtrans($1, roundup_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 roundup_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, roundup_var_lib_t) - - files_list_pids($1) - admin_pattern($1, roundup_var_run_t) -') diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te deleted file mode 100644 index 57f839f4c..000000000 --- a/policy/modules/services/roundup.te +++ /dev/null @@ -1,96 +0,0 @@ -policy_module(roundup, 1.7.0) - -######################################## -# -# Declarations -# - -type roundup_t; -type roundup_exec_t; -init_daemon_domain(roundup_t, roundup_exec_t) - -type roundup_initrc_exec_t; -init_script_file(roundup_initrc_exec_t) - -type roundup_var_run_t; -files_pid_file(roundup_var_run_t) - -type roundup_var_lib_t; -files_type(roundup_var_lib_t) - -######################################## -# -# Local policy -# - -allow roundup_t self:capability { setgid setuid }; -dontaudit roundup_t self:capability sys_tty_config; -allow roundup_t self:process signal_perms; -allow roundup_t self:unix_stream_socket create_stream_socket_perms; -allow roundup_t self:tcp_socket create_stream_socket_perms; -allow roundup_t self:udp_socket create_socket_perms; - -manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t) -files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file) - -manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t) -files_pid_filetrans(roundup_t, roundup_var_run_t, file) - -kernel_read_kernel_sysctls(roundup_t) -kernel_list_proc(roundup_t) -kernel_read_proc_symlinks(roundup_t) - -dev_read_sysfs(roundup_t) - -# execute python -corecmd_exec_bin(roundup_t) - -corenet_all_recvfrom_unlabeled(roundup_t) -corenet_all_recvfrom_netlabel(roundup_t) -corenet_tcp_sendrecv_generic_if(roundup_t) -corenet_udp_sendrecv_generic_if(roundup_t) -corenet_raw_sendrecv_generic_if(roundup_t) -corenet_tcp_sendrecv_generic_node(roundup_t) -corenet_udp_sendrecv_generic_node(roundup_t) -corenet_raw_sendrecv_generic_node(roundup_t) -corenet_tcp_sendrecv_all_ports(roundup_t) -corenet_udp_sendrecv_all_ports(roundup_t) -corenet_tcp_bind_generic_node(roundup_t) -corenet_tcp_bind_http_cache_port(roundup_t) -corenet_tcp_connect_smtp_port(roundup_t) -corenet_sendrecv_http_cache_server_packets(roundup_t) -corenet_sendrecv_smtp_client_packets(roundup_t) - -# /usr/share/mysql/charsets/Index.xml -dev_read_urand(roundup_t) - -domain_use_interactive_fds(roundup_t) - -# /usr/share/mysql/charsets/Index.xml -files_read_usr_files(roundup_t) -files_read_etc_files(roundup_t) - -fs_getattr_all_fs(roundup_t) -fs_search_auto_mountpoints(roundup_t) - -logging_send_syslog_msg(roundup_t) - -miscfiles_read_localization(roundup_t) - -sysnet_read_config(roundup_t) - -userdom_dontaudit_use_unpriv_user_fds(roundup_t) -userdom_dontaudit_search_user_home_dirs(roundup_t) - -optional_policy(` - mysql_stream_connect(roundup_t) - mysql_search_db(roundup_t) -') - -optional_policy(` - seutil_sigchld_newrole(roundup_t) -') - -optional_policy(` - udev_read_db(roundup_t) -') diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc deleted file mode 100644 index 5c70c0cc9..000000000 --- a/policy/modules/services/rpc.fc +++ /dev/null @@ -1,31 +0,0 @@ -# -# /etc -# -/etc/exports -- gen_context(system_u:object_r:exports_t,s0) -/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - -# -# /sbin -# -/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - -# -# /usr -# -/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) - -# -# /var -# -/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) - -/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) -/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if deleted file mode 100644 index dddabcf82..000000000 --- a/policy/modules/services/rpc.if +++ /dev/null @@ -1,435 +0,0 @@ -## Remote Procedure Call Daemon for managment of network based process communication - -######################################## -## -## RPC stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_stub',` - gen_require(` - type exports_t; - ') -') - -####################################### -## -## The template to define a rpc domain. -## -## -##

-## This template creates a domain to be used for -## a new rpc daemon. -##

-## -## -## -## The type of daemon to be used. -## -## -# -template(`rpc_domain_template', ` - ######################################## - # - # Declarations - # - - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - domain_use_interactive_fds($1_t) - - #################################### - # - # Local Policy - # - - dontaudit $1_t self:capability { net_admin sys_tty_config }; - allow $1_t self:capability net_bind_service; - allow $1_t self:process signal_perms; - allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - - manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) - manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) - - kernel_list_proc($1_t) - kernel_read_proc_symlinks($1_t) - kernel_read_kernel_sysctls($1_t) - # bind to arbitary unused ports - kernel_rw_rpc_sysctls($1_t) - - dev_read_sysfs($1_t) - dev_read_urand($1_t) - dev_read_rand($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_udp_bind_generic_node($1_t) - corenet_tcp_bind_reserved_port($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_portmap_client_packets($1_t) - # do not log when it tries to bind to a port belonging to another domain - corenet_dontaudit_tcp_bind_all_ports($1_t) - corenet_dontaudit_udp_bind_all_ports($1_t) - # bind to arbitary unused ports - corenet_tcp_bind_generic_port($1_t) - corenet_udp_bind_generic_port($1_t) - corenet_tcp_bind_all_rpc_ports($1_t) - corenet_udp_bind_all_rpc_ports($1_t) - corenet_sendrecv_generic_server_packets($1_t) - - fs_rw_rpc_named_pipes($1_t) - fs_search_auto_mountpoints($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_search_var($1_t) - files_search_var_lib($1_t) - files_list_home($1_t) - - auth_use_nsswitch($1_t) - - logging_send_syslog_msg($1_t) - - miscfiles_read_localization($1_t) - - userdom_dontaudit_use_unpriv_user_fds($1_t) - - optional_policy(` - rpcbind_stream_connect($1_t) - ') - - optional_policy(` - seutil_sigchld_newrole($1_t) - ') - - optional_policy(` - udev_read_db($1_t) - ') -') - -######################################## -## -## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Do not audit attempts to get the attributes -## of the NFS export file. -## -## -## -## Domain to not audit. -## -## -# -interface(`rpc_dontaudit_getattr_exports',` - gen_require(` - type exports_t; - ') - - dontaudit $1 exports_t:file getattr; -') - -######################################## -## -## Allow read access to exports. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_read_exports',` - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file read_file_perms; -') - -######################################## -## -## Allow write access to exports. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_write_exports',` - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file write; -') - -######################################## -## -## Execute domain in nfsd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_domtrans_nfsd',` - gen_require(` - type nfsd_t, nfsd_exec_t; - ') - - domtrans_pattern($1, nfsd_exec_t, nfsd_t) -') - -####################################### -## -## Execute domain in nfsd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_initrc_domtrans_nfsd',` - gen_require(` - type nfsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nfsd_initrc_exec_t) -') - -######################################## -## -## Execute domain in rpcd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_domtrans_rpcd',` - gen_require(` - type rpcd_t, rpcd_exec_t; - ') - - domtrans_pattern($1, rpcd_exec_t, rpcd_t) - allow rpcd_t $1:process signal; -') - -####################################### -## -## Execute domain in rpcd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpc_initrc_domtrans_rpcd',` - gen_require(` - type rpcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, rpcd_initrc_exec_t) -') - -######################################## -## -## Read NFS exported content. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rpc_read_nfs_content',` - gen_require(` - type nfsd_ro_t, nfsd_rw_t; - ') - - allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read }; -') - -######################################## -## -## Allow domain to create read and write NFS directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rpc_manage_nfs_rw_content',` - gen_require(` - type nfsd_rw_t; - ') - - manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) -') - -######################################## -## -## Allow domain to create read and write NFS directories. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rpc_manage_nfs_ro_content',` - gen_require(` - type nfsd_ro_t; - ') - - manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) -') - -######################################## -## -## Allow domain to read and write to an NFS TCP socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_tcp_rw_nfs_sockets',` - gen_require(` - type nfsd_t; - ') - - allow $1 nfsd_t:tcp_socket rw_socket_perms; -') - -######################################## -## -## Allow domain to read and write to an NFS UDP socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_udp_rw_nfs_sockets',` - gen_require(` - type nfsd_t; - ') - - allow $1 nfsd_t:udp_socket rw_socket_perms; -') - -######################################## -## -## Send UDP traffic to NFSd. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_udp_send_nfs',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Search NFS state data in /var/lib/nfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_search_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; -') - -######################################## -## -## Read NFS state data in /var/lib/nfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_read_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -') - -######################################## -## -## Manage NFS state data in /var/lib/nfs. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpc_manage_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te deleted file mode 100644 index 62fca9732..000000000 --- a/policy/modules/services/rpc.te +++ /dev/null @@ -1,237 +0,0 @@ -policy_module(rpc, 1.13.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow gssd to read temp directory. For access to kerberos tgt. -##

-## -gen_tunable(allow_gssd_read_tmp, true) - -## -##

-## Allow nfs servers to modify public files -## used for public file transfer services. Files/Directories must be -## labeled public_content_rw_t. -##

-## -gen_tunable(allow_nfsd_anon_write, false) - -type exports_t; -files_config_file(exports_t) - -rpc_domain_template(gssd) - -type gssd_tmp_t; -files_tmp_file(gssd_tmp_t) - -type rpcd_var_run_t; -files_pid_file(rpcd_var_run_t) - -# rpcd_t is the domain of rpc daemons. -# rpc_exec_t is the type of rpc daemon programs. -rpc_domain_template(rpcd) - -type rpcd_initrc_exec_t; -init_script_file(rpcd_initrc_exec_t) - -rpc_domain_template(nfsd) - -type nfsd_initrc_exec_t; -init_script_file(nfsd_initrc_exec_t) - -type nfsd_rw_t; -files_type(nfsd_rw_t) - -type nfsd_ro_t; -files_type(nfsd_ro_t) - -type var_lib_nfs_t; -files_mountpoint(var_lib_nfs_t) - -######################################## -# -# RPC local policy -# - -allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; -allow rpcd_t self:process { getcap setcap }; -allow rpcd_t self:fifo_file rw_fifo_file_perms; - -allow rpcd_t rpcd_var_run_t:dir setattr; -manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -files_pid_filetrans(rpcd_t, rpcd_var_run_t, file) - -# rpc.statd executes sm-notify -can_exec(rpcd_t, rpcd_exec_t) - -kernel_read_system_state(rpcd_t) -kernel_read_network_state(rpcd_t) -# for rpc.rquotad -kernel_read_sysctl(rpcd_t) -kernel_rw_fs_sysctls(rpcd_t) -kernel_dontaudit_getattr_core_if(rpcd_t) -kernel_signal(rpcd_t) - -corecmd_exec_bin(rpcd_t) - -files_manage_mounttab(rpcd_t) -files_getattr_all_dirs(rpcd_t) - -fs_list_rpc(rpcd_t) -fs_read_rpc_files(rpcd_t) -fs_read_rpc_symlinks(rpcd_t) -fs_rw_rpc_sockets(rpcd_t) -fs_get_all_fs_quotas(rpcd_t) -fs_getattr_all_fs(rpcd_t) - -storage_getattr_fixed_disk_dev(rpcd_t) - -selinux_dontaudit_read_fs(rpcd_t) - -miscfiles_read_generic_certs(rpcd_t) - -seutil_dontaudit_search_config(rpcd_t) - -optional_policy(` - automount_signal(rpcd_t) - automount_dontaudit_write_pipes(rpcd_t) -') - -optional_policy(` - nis_read_ypserv_config(rpcd_t) -') - -######################################## -# -# NFSD local policy -# - -allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; - -allow nfsd_t exports_t:file read_file_perms; -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - -# for /proc/fs/nfs/exports - should we have a new type? -kernel_read_system_state(nfsd_t) -kernel_read_network_state(nfsd_t) -kernel_dontaudit_getattr_core_if(nfsd_t) - -corenet_tcp_bind_all_rpc_ports(nfsd_t) -corenet_udp_bind_all_rpc_ports(nfsd_t) - -dev_dontaudit_getattr_all_blk_files(nfsd_t) -dev_dontaudit_getattr_all_chr_files(nfsd_t) -dev_rw_lvm_control(nfsd_t) - -# does not really need this, but it is easier to just allow it -files_search_pids(nfsd_t) -# for exportfs and rpc.mountd -files_getattr_tmp_dirs(nfsd_t) -# cjp: this should really have its own type -files_manage_mounttab(nfsd_t) -files_read_etc_runtime_files(nfsd_t) - -fs_mount_nfsd_fs(nfsd_t) -fs_search_nfsd_fs(nfsd_t) -fs_getattr_all_fs(nfsd_t) -fs_getattr_all_dirs(nfsd_t) -fs_rw_nfsd_fs(nfsd_t) - -storage_dontaudit_read_fixed_disk(nfsd_t) -storage_raw_read_removable_device(nfsd_t) - -# Read access to public_content_t and public_content_rw_t -miscfiles_read_public_files(nfsd_t) - -# Write access to public_content_t and public_content_rw_t -tunable_policy(`allow_nfsd_anon_write',` - miscfiles_manage_public_files(nfsd_t) -') - -tunable_policy(`nfs_export_all_rw',` - dev_getattr_all_blk_files(nfsd_t) - dev_getattr_all_chr_files(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) - auth_manage_all_files_except_auth_files(nfsd_t) -') - -tunable_policy(`nfs_export_all_ro',` - dev_getattr_all_blk_files(nfsd_t) - dev_getattr_all_chr_files(nfsd_t) - - files_getattr_all_pipes(nfsd_t) - files_getattr_all_sockets(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) - - auth_read_all_dirs_except_auth_files(nfsd_t) - auth_read_all_files_except_auth_files(nfsd_t) -') - -######################################## -# -# GSSD local policy -# - -allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; -allow gssd_t self:process { getsched setsched }; -allow gssd_t self:fifo_file rw_file_perms; - -manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - -kernel_read_system_state(gssd_t) -kernel_read_network_state(gssd_t) -kernel_read_network_state_symlinks(gssd_t) -kernel_request_load_module(gssd_t) -kernel_search_network_sysctl(gssd_t) -kernel_signal(gssd_t) - -corecmd_exec_bin(gssd_t) - -fs_list_rpc(gssd_t) -fs_rw_rpc_sockets(gssd_t) -fs_read_rpc_files(gssd_t) - -fs_list_inotifyfs(gssd_t) -files_list_tmp(gssd_t) -files_read_usr_symlinks(gssd_t) -files_dontaudit_write_var_dirs(gssd_t) - -auth_use_nsswitch(gssd_t) -auth_manage_cache(gssd_t) - -miscfiles_read_generic_certs(gssd_t) - -mount_signal(gssd_t) - -userdom_signal_all_users(gssd_t) - -tunable_policy(`allow_gssd_read_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_read_user_tmp_files(gssd_t) - userdom_read_user_tmp_symlinks(gssd_t) -') - -optional_policy(` - automount_signal(gssd_t) -') - -optional_policy(` - kerberos_keytab_template(gssd, gssd_t) -') - -optional_policy(` - pcscd_read_pub_files(gssd_t) -') - -optional_policy(` - xserver_rw_xdm_tmp_files(gssd_t) -') diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc deleted file mode 100644 index f5c47d647..000000000 --- a/policy/modules/services/rpcbind.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) - -/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) - -/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - -/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) -/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) -/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if deleted file mode 100644 index a96249cf9..000000000 --- a/policy/modules/services/rpcbind.if +++ /dev/null @@ -1,148 +0,0 @@ -## Universal Addresses to RPC Program Number Mapper - -######################################## -## -## Execute a domain transition to run rpcbind. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rpcbind_domtrans',` - gen_require(` - type rpcbind_t, rpcbind_exec_t; - ') - - domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) -') - -######################################## -## -## Connect to rpcbindd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_stream_connect',` - gen_require(` - type rpcbind_t, rpcbind_var_run_t; - ') - - files_search_pids($1) - allow $1 rpcbind_var_run_t:sock_file write; - allow $1 rpcbind_t:unix_stream_socket connectto; -') - -######################################## -## -## Read rpcbind PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_read_pid_files',` - gen_require(` - type rpcbind_var_run_t; - ') - - files_search_pids($1) - allow $1 rpcbind_var_run_t:file read_file_perms; -') - -######################################## -## -## Search rpcbind lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_search_lib',` - gen_require(` - type rpcbind_var_lib_t; - ') - - allow $1 rpcbind_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read rpcbind lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_read_lib_files',` - gen_require(` - type rpcbind_var_lib_t; - ') - - read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Create, read, write, and delete -## rpcbind lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rpcbind_manage_lib_files',` - gen_require(` - type rpcbind_var_lib_t; - ') - - manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## All of the rules required to administrate -## an rpcbind environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the rpcbind domain. -## -## -## -# -interface(`rpcbind_admin',` - gen_require(` - type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t; - type rpcbind_initrc_exec_t; - ') - - allow $1 rpcbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, rpcbind_t) - - init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; -') diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te deleted file mode 100644 index a63e9eee9..000000000 --- a/policy/modules/services/rpcbind.te +++ /dev/null @@ -1,69 +0,0 @@ -policy_module(rpcbind, 1.5.0) - -######################################## -# -# Declarations -# - -type rpcbind_t; -type rpcbind_exec_t; -init_daemon_domain(rpcbind_t, rpcbind_exec_t) - -type rpcbind_initrc_exec_t; -init_script_file(rpcbind_initrc_exec_t) - -type rpcbind_var_run_t; -files_pid_file(rpcbind_var_run_t) - -type rpcbind_var_lib_t; -files_type(rpcbind_var_lib_t) - -######################################## -# -# rpcbind local policy -# - -allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; -allow rpcbind_t self:fifo_file rw_file_perms; -allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; -allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; -allow rpcbind_t self:udp_socket create_socket_perms; -allow rpcbind_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) - -manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) -files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) - -kernel_read_system_state(rpcbind_t) -kernel_read_network_state(rpcbind_t) -kernel_request_load_module(rpcbind_t) - -corenet_all_recvfrom_unlabeled(rpcbind_t) -corenet_all_recvfrom_netlabel(rpcbind_t) -corenet_tcp_sendrecv_generic_if(rpcbind_t) -corenet_udp_sendrecv_generic_if(rpcbind_t) -corenet_tcp_sendrecv_generic_node(rpcbind_t) -corenet_udp_sendrecv_generic_node(rpcbind_t) -corenet_tcp_sendrecv_all_ports(rpcbind_t) -corenet_udp_sendrecv_all_ports(rpcbind_t) -corenet_tcp_bind_generic_node(rpcbind_t) -corenet_udp_bind_generic_node(rpcbind_t) -corenet_tcp_bind_portmap_port(rpcbind_t) -corenet_udp_bind_portmap_port(rpcbind_t) -corenet_udp_bind_all_rpc_ports(rpcbind_t) - -domain_use_interactive_fds(rpcbind_t) - -files_read_etc_files(rpcbind_t) -files_read_etc_runtime_files(rpcbind_t) - -logging_send_syslog_msg(rpcbind_t) - -miscfiles_read_localization(rpcbind_t) - -sysnet_dns_name_resolve(rpcbind_t) diff --git a/policy/modules/services/rshd.fc b/policy/modules/services/rshd.fc deleted file mode 100644 index 6a4db031f..000000000 --- a/policy/modules/services/rshd.fc +++ /dev/null @@ -1,5 +0,0 @@ - -/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) - -/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) -/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/policy/modules/services/rshd.if b/policy/modules/services/rshd.if deleted file mode 100644 index 2e87d76b4..000000000 --- a/policy/modules/services/rshd.if +++ /dev/null @@ -1,21 +0,0 @@ -## Remote shell service. - -######################################## -## -## Domain transition to rshd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rshd_domtrans',` - gen_require(` - type rshd_exec_t, rshd_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, rshd_exec_t, rshd_t) -') diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te deleted file mode 100644 index 0b405d102..000000000 --- a/policy/modules/services/rshd.te +++ /dev/null @@ -1,96 +0,0 @@ -policy_module(rshd, 1.7.0) - -######################################## -# -# Declarations -# -type rshd_t; -type rshd_exec_t; -inetd_tcp_service_domain(rshd_t, rshd_exec_t) -domain_subj_id_change_exemption(rshd_t) -domain_role_change_exemption(rshd_t) -role system_r types rshd_t; - -######################################## -# -# Local policy -# -allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; -allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; -allow rshd_t self:fifo_file rw_fifo_file_perms; -allow rshd_t self:tcp_socket create_stream_socket_perms; - -kernel_read_kernel_sysctls(rshd_t) - -corenet_all_recvfrom_unlabeled(rshd_t) -corenet_all_recvfrom_netlabel(rshd_t) -corenet_tcp_sendrecv_generic_if(rshd_t) -corenet_udp_sendrecv_generic_if(rshd_t) -corenet_tcp_sendrecv_generic_node(rshd_t) -corenet_udp_sendrecv_generic_node(rshd_t) -corenet_tcp_sendrecv_all_ports(rshd_t) -corenet_udp_sendrecv_all_ports(rshd_t) -corenet_tcp_bind_generic_node(rshd_t) -corenet_tcp_bind_rsh_port(rshd_t) -corenet_tcp_bind_all_rpc_ports(rshd_t) -corenet_tcp_connect_all_ports(rshd_t) -corenet_tcp_connect_all_rpc_ports(rshd_t) -corenet_sendrecv_rsh_server_packets(rshd_t) - -dev_read_urand(rshd_t) - -selinux_get_fs_mount(rshd_t) -selinux_validate_context(rshd_t) -selinux_compute_access_vector(rshd_t) -selinux_compute_create_context(rshd_t) -selinux_compute_relabel_context(rshd_t) -selinux_compute_user_contexts(rshd_t) - -corecmd_read_bin_symlinks(rshd_t) - -files_list_home(rshd_t) -files_read_etc_files(rshd_t) -files_search_tmp(rshd_t) - -auth_login_pgm_domain(rshd_t) -auth_write_login_records(rshd_t) - -init_rw_utmp(rshd_t) - -logging_send_syslog_msg(rshd_t) -logging_search_logs(rshd_t) - -miscfiles_read_localization(rshd_t) - -seutil_read_config(rshd_t) -seutil_read_default_contexts(rshd_t) - -userdom_search_user_home_content(rshd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(rshd_t) - fs_read_nfs_symlinks(rshd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(rshd_t) - fs_read_cifs_symlinks(rshd_t) -') - -optional_policy(` - kerberos_keytab_template(rshd, rshd_t) - kerberos_manage_host_rcache(rshd_t) -') - -optional_policy(` - rlogin_read_home_content(rshd_t) -') - -optional_policy(` - tcpd_wrapped_domain(rshd_t, rshd_exec_t) -') - -optional_policy(` - unconfined_shell_domtrans(rshd_t) - unconfined_signal(rshd_t) -') diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc deleted file mode 100644 index 479615be1..000000000 --- a/policy/modules/services/rsync.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) - -/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) - -/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) - -/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if deleted file mode 100644 index 3386f2971..000000000 --- a/policy/modules/services/rsync.if +++ /dev/null @@ -1,143 +0,0 @@ -## Fast incremental file transfer for synchronization - -######################################## -## -## Make rsync an entry point for -## the specified domain. -## -## -## -## The domain for which init scripts are an entrypoint. -## -## -# cjp: added for portage -interface(`rsync_entry_type',` - gen_require(` - type rsync_exec_t; - ') - - domain_entry_file($1, rsync_exec_t) -') - -######################################## -## -## Execute a rsync in a specified domain. -## -## -##

-## Execute a rsync in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# cjp: added for portage -interface(`rsync_entry_spec_domtrans',` - gen_require(` - type rsync_exec_t; - ') - - domain_trans($1, rsync_exec_t, $2) -') - -######################################## -## -## Execute a rsync in a specified domain. -## -## -##

-## Execute a rsync in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# cjp: added for portage -interface(`rsync_entry_domtrans',` - gen_require(` - type rsync_exec_t; - ') - - domain_auto_trans($1, rsync_exec_t, $2) -') - -######################################## -## -## Execute rsync in the caller domain domain. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`rsync_exec',` - gen_require(` - type rsync_exec_t; - ') - - can_exec($1, rsync_exec_t) -') - -######################################## -## -## Read rsync config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rsync_read_config',` - gen_require(` - type rsync_etc_t; - ') - - allow $1 rsync_etc_t:file read_file_perms; - files_search_etc($1) -') - -######################################## -## -## Write to rsync config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rsync_write_config',` - gen_require(` - type rsync_etc_t; - ') - - allow $1 rsync_etc_t:file read_file_perms; - files_search_etc($1) -') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te deleted file mode 100644 index 5c17e847f..000000000 --- a/policy/modules/services/rsync.te +++ /dev/null @@ -1,133 +0,0 @@ -policy_module(rsync, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow rsync to export any files/directories read only. -##

-## -gen_tunable(rsync_export_all_ro, false) - -## -##

-## Allow rsync to modify public files -## used for public file transfer services. Files/Directories must be -## labeled public_content_rw_t. -##

-## -gen_tunable(allow_rsync_anon_write, false) - -type rsync_t; -type rsync_exec_t; -init_daemon_domain(rsync_t, rsync_exec_t) -application_executable_file(rsync_exec_t) -role system_r types rsync_t; - -type rsync_etc_t; -files_config_file(rsync_etc_t) - -type rsync_data_t; -files_type(rsync_data_t) - -type rsync_log_t; -logging_log_file(rsync_log_t) - -type rsync_tmp_t; -files_tmp_file(rsync_tmp_t) - -type rsync_var_run_t; -files_pid_file(rsync_var_run_t) - -######################################## -# -# Local policy -# - -allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; -allow rsync_t self:process signal_perms; -allow rsync_t self:fifo_file rw_fifo_file_perms; -allow rsync_t self:tcp_socket create_stream_socket_perms; -allow rsync_t self:udp_socket connected_socket_perms; - -# for identd -# cjp: this should probably only be inetd_child_t rules? -# search home and kerberos also. -allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -#end for identd - -allow rsync_t rsync_etc_t:file read_file_perms; - -allow rsync_t rsync_data_t:dir list_dir_perms; -read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - -manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) -logging_log_filetrans(rsync_t, rsync_log_t, file) - -manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) - -manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t) -files_pid_filetrans(rsync_t, rsync_var_run_t, file) - -kernel_read_kernel_sysctls(rsync_t) -kernel_read_system_state(rsync_t) -kernel_read_network_state(rsync_t) - -corenet_all_recvfrom_unlabeled(rsync_t) -corenet_all_recvfrom_netlabel(rsync_t) -corenet_tcp_sendrecv_generic_if(rsync_t) -corenet_udp_sendrecv_generic_if(rsync_t) -corenet_tcp_sendrecv_generic_node(rsync_t) -corenet_udp_sendrecv_generic_node(rsync_t) -corenet_tcp_sendrecv_all_ports(rsync_t) -corenet_udp_sendrecv_all_ports(rsync_t) -corenet_tcp_bind_generic_node(rsync_t) -corenet_tcp_bind_rsync_port(rsync_t) -corenet_sendrecv_rsync_server_packets(rsync_t) - -dev_read_urand(rsync_t) - -fs_getattr_xattr_fs(rsync_t) - -files_read_etc_files(rsync_t) -files_search_home(rsync_t) - -auth_use_nsswitch(rsync_t) - -logging_send_syslog_msg(rsync_t) - -miscfiles_read_localization(rsync_t) -miscfiles_read_public_files(rsync_t) - -tunable_policy(`allow_rsync_anon_write',` - miscfiles_manage_public_files(rsync_t) -') - -optional_policy(` - daemontools_service_domain(rsync_t, rsync_exec_t) -') - -optional_policy(` - kerberos_use(rsync_t) -') - -optional_policy(` - inetd_service_domain(rsync_t, rsync_exec_t) -') - -tunable_policy(`rsync_export_all_ro',` - fs_read_noxattr_fs_files(rsync_t) - fs_read_nfs_files(rsync_t) - fs_read_cifs_files(rsync_t) - auth_read_all_dirs_except_auth_files(rsync_t) - auth_read_all_files_except_auth_files(rsync_t) - auth_read_all_symlinks_except_auth_files(rsync_t) - auth_tunable_read_shadow(rsync_t) -') -auth_can_read_shadow_passwords(rsync_t) diff --git a/policy/modules/services/rtkit.fc b/policy/modules/services/rtkit.fc deleted file mode 100644 index 52c441e15..000000000 --- a/policy/modules/services/rtkit.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if deleted file mode 100644 index 46dad1f93..000000000 --- a/policy/modules/services/rtkit.if +++ /dev/null @@ -1,60 +0,0 @@ -## Realtime scheduling for user processes. - -######################################## -## -## Execute a domain transition to run rtkit_daemon. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rtkit_daemon_domtrans',` - gen_require(` - type rtkit_daemon_t, rtkit_daemon_exec_t; - ') - - domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) -') - -######################################## -## -## Send and receive messages from -## rtkit_daemon over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rtkit_daemon_dbus_chat',` - gen_require(` - type rtkit_daemon_t; - class dbus send_msg; - ') - - allow $1 rtkit_daemon_t:dbus send_msg; - allow rtkit_daemon_t $1:dbus send_msg; -') - -######################################## -## -## Allow rtkit to control scheduling for your process -## -## -## -## Domain allowed access. -## -## -# -interface(`rtkit_scheduled',` - gen_require(` - type rtkit_daemon_t; - ') - - ps_process_pattern(rtkit_daemon_t, $1) - allow rtkit_daemon_t $1:process { getsched setsched }; - rtkit_daemon_dbus_chat($1) -') diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te deleted file mode 100644 index 6f8e2682e..000000000 --- a/policy/modules/services/rtkit.te +++ /dev/null @@ -1,35 +0,0 @@ -policy_module(rtkit, 1.1.0) - -######################################## -# -# Declarations -# - -type rtkit_daemon_t; -type rtkit_daemon_exec_t; -dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) - -######################################## -# -# rtkit_daemon local policy -# - -allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; -allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; - -kernel_read_system_state(rtkit_daemon_t) - -domain_getsched_all_domains(rtkit_daemon_t) -domain_read_all_domains_state(rtkit_daemon_t) - -fs_rw_anon_inodefs_files(rtkit_daemon_t) - -auth_use_nsswitch(rtkit_daemon_t) - -logging_send_syslog_msg(rtkit_daemon_t) - -miscfiles_read_localization(rtkit_daemon_t) - -optional_policy(` - policykit_dbus_chat(rtkit_daemon_t) -') diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc deleted file mode 100644 index bc048cef7..000000000 --- a/policy/modules/services/rwho.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0) - -/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) - -/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) - -/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if deleted file mode 100644 index 71ea0eab7..000000000 --- a/policy/modules/services/rwho.if +++ /dev/null @@ -1,154 +0,0 @@ -## Who is logged in on other machines? - -######################################## -## -## Execute a domain transition to run rwho. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rwho_domtrans',` - gen_require(` - type rwho_t, rwho_exec_t; - ') - - domtrans_pattern($1, rwho_exec_t, rwho_t) -') - -######################################## -## -## Search rwho log directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_search_log',` - gen_require(` - type rwho_log_t; - ') - - allow $1 rwho_log_t:dir search_dir_perms; - logging_search_logs($1) -') - -######################################## -## -## Read rwho log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_read_log_files',` - gen_require(` - type rwho_log_t; - ') - - allow $1 rwho_log_t:file read_file_perms; - allow $1 rwho_log_t:dir list_dir_perms; - logging_search_logs($1) -') - -######################################## -## -## Search rwho spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_search_spool',` - gen_require(` - type rwho_spool_t; - ') - - allow $1 rwho_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Read rwho spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_read_spool_files',` - gen_require(` - type rwho_spool_t; - ') - - read_files_pattern($1, rwho_spool_t, rwho_spool_t) - files_search_spool($1) -') - -######################################## -## -## Create, read, write, and delete -## rwho spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`rwho_manage_spool_files',` - gen_require(` - type rwho_spool_t; - ') - - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) - files_search_spool($1) -') - -######################################## -## -## All of the rules required to administrate -## an rwho environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role allowed access. -## -## -## -# -interface(`rwho_admin',` - gen_require(` - type rwho_t, rwho_log_t, rwho_spool_t; - type rwho_initrc_exec_t; - ') - - allow $1 rwho_t:process { ptrace signal_perms }; - ps_process_pattern($1, rwho_t) - - init_labeled_script_domtrans($1, rwho_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rwho_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, rwho_log_t) - - files_list_spool($1) - admin_pattern($1, rwho_spool_t) -') diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te deleted file mode 100644 index a07b2f403..000000000 --- a/policy/modules/services/rwho.te +++ /dev/null @@ -1,60 +0,0 @@ -policy_module(rwho, 1.6.0) - -######################################## -# -# Declarations -# - -type rwho_t; -type rwho_exec_t; -init_daemon_domain(rwho_t, rwho_exec_t) - -type rwho_initrc_exec_t; -init_script_file(rwho_initrc_exec_t) - -type rwho_log_t; -files_type(rwho_log_t) - -type rwho_spool_t; -files_type(rwho_spool_t) - -######################################## -# -# rwho local policy -# - -allow rwho_t self:capability sys_chroot; -allow rwho_t self:unix_dgram_socket create; -allow rwho_t self:fifo_file rw_file_perms; -allow rwho_t self:unix_stream_socket create_stream_socket_perms; -allow rwho_t self:udp_socket create_socket_perms; - -allow rwho_t rwho_log_t:dir manage_dir_perms; -allow rwho_t rwho_log_t:file manage_file_perms; -logging_log_filetrans(rwho_t, rwho_log_t, { file dir }) - -allow rwho_t rwho_spool_t:dir manage_dir_perms; -allow rwho_t rwho_spool_t:file manage_file_perms; -files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) - -kernel_read_system_state(rwho_t) - -corenet_all_recvfrom_unlabeled(rwho_t) -corenet_all_recvfrom_netlabel(rwho_t) -corenet_udp_sendrecv_generic_if(rwho_t) -corenet_udp_sendrecv_generic_node(rwho_t) -corenet_udp_sendrecv_all_ports(rwho_t) -corenet_udp_bind_generic_node(rwho_t) -corenet_udp_bind_rwho_port(rwho_t) -corenet_sendrecv_rwho_server_packets(rwho_t) - -domain_use_interactive_fds(rwho_t) - -files_read_etc_files(rwho_t) - -init_read_utmp(rwho_t) -init_dontaudit_write_utmp(rwho_t) - -miscfiles_read_localization(rwho_t) - -sysnet_dns_name_resolve(rwho_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc deleted file mode 100644 index 69a6074f9..000000000 --- a/policy/modules/services/samba.fc +++ /dev/null @@ -1,53 +0,0 @@ - -# -# /etc -# -/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) - -# -# /usr -# -/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) -/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) -/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) -/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) - -/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) -/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) -/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) - -# -# /var -# -/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) - -/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) -/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) - -/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if deleted file mode 100644 index 82cb169c0..000000000 --- a/policy/modules/services/samba.if +++ /dev/null @@ -1,730 +0,0 @@ -## -## SMB and CIFS client/server programs for UNIX and -## name Service Switch daemon for resolving names -## from Windows NT servers. -## - -######################################## -## -## Execute nmbd net in the nmbd_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_nmbd',` - gen_require(` - type nmbd_t, nmbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nmbd_exec_t, nmbd_t) -') - -####################################### -## -## Allow domain to signal samba -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_signal_nmbd',` - gen_require(` - type nmbd_t; - ') - allow $1 nmbd_t:process signal; -') - -######################################## -## -## Execute samba server in the samba domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_initrc_domtrans',` - gen_require(` - type samba_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, samba_initrc_exec_t) -') - -######################################## -## -## Execute samba net in the samba_net domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_net',` - gen_require(` - type samba_net_t, samba_net_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samba_net_exec_t, samba_net_t) -') - -######################################## -## -## Execute samba net in the samba_net domain, and -## allow the specified role the samba_net domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`samba_run_net',` - gen_require(` - type samba_net_t; - ') - - samba_domtrans_net($1) - role $2 types samba_net_t; -') - -######################################## -## -## Execute smbmount in the smbmount domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_smbmount',` - gen_require(` - type smbmount_t, smbmount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbmount_exec_t, smbmount_t) -') - -######################################## -## -## Execute smbmount interactively and do -## a domain transition to the smbmount domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`samba_run_smbmount',` - gen_require(` - type smbmount_t; - ') - - samba_domtrans_smbmount($1) - role $2 types smbmount_t; -') - -######################################## -## -## Allow the specified domain to read -## samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_read_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## -## Allow the specified domain to read -## and write samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_rw_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - rw_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## -## Allow the specified domain to read -## and write samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_manage_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, samba_etc_t, samba_etc_t) - manage_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## -## Allow the specified domain to read samba's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_read_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - read_files_pattern($1, samba_log_t, samba_log_t) -') - -######################################## -## -## Allow the specified domain to append to samba's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`samba_append_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - allow $1 samba_log_t:file append_file_perms; -') - -######################################## -## -## Execute samba log in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_exec_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - can_exec($1, samba_log_t) -') - -######################################## -## -## Allow the specified domain to read samba's secrets. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_secrets',` - gen_require(` - type samba_secrets_t; - ') - - files_search_etc($1) - allow $1 samba_secrets_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to read samba's shares -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_share_files',` - gen_require(` - type samba_share_t; - ') - - allow $1 samba_share_t:filesystem getattr; - read_files_pattern($1, samba_share_t, samba_share_t) -') - -######################################## -## -## Allow the specified domain to search -## samba /var directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_search_var',` - gen_require(` - type samba_var_t; - ') - - files_search_var($1) - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to -## read samba /var files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var($1) - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## -## Do not audit attempts to write samba -## /var files. -## -## -## -## Domain to not audit. -## -## -# -interface(`samba_dontaudit_write_var_files',` - gen_require(` - type samba_var_t; - ') - - dontaudit $1 samba_var_t:file write; -') - -######################################## -## -## Allow the specified domain to -## read and write samba /var files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_rw_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var($1) - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## -## Allow the specified domain to -## read and write samba /var files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_manage_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var($1) - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## -## Execute a domain transition to run smbcontrol. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_smbcontrol',` - gen_require(` - type smbcontrol_t; - type smbcontrol_exec_t; - ') - - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -') - -######################################## -## -## Execute smbcontrol in the smbcontrol domain, and -## allow the specified role the smbcontrol domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`samba_run_smbcontrol',` - gen_require(` - type smbcontrol_t; - ') - - samba_domtrans_smbcontrol($1) - role $2 types smbcontrol_t; -') - -######################################## -## -## Execute smbd in the smbd_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_smbd',` - gen_require(` - type smbd_t, smbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbd_exec_t, smbd_t) -') - -###################################### -## -## Allow domain to signal samba -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_signal_smbd',` - gen_require(` - type smbd_t; - ') - allow $1 smbd_t:process signal; -') - -######################################## -## -## Do not audit attempts to use file descriptors from samba. -## -## -## -## Domain to not audit. -## -## -# -interface(`samba_dontaudit_use_fds',` - gen_require(` - type smbd_t; - ') - - dontaudit $1 smbd_t:fd use; -') - -######################################## -## -## Allow the specified domain to write to smbmount tcp sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_write_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket write; -') - -######################################## -## -## Allow the specified domain to read and write to smbmount tcp sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_rw_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket { read write }; -') - -######################################## -## -## Execute winbind_helper in the winbind_helper domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samba_domtrans_winbind_helper',` - gen_require(` - type winbind_helper_t, winbind_helper_exec_t; - ') - - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -') - -######################################## -## -## Execute winbind_helper in the winbind_helper domain, and -## allow the specified role the winbind_helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`samba_run_winbind_helper',` - gen_require(` - type winbind_helper_t; - ') - - samba_domtrans_winbind_helper($1) - role $2 types winbind_helper_t; -') - -######################################## -## -## Allow the specified domain to read the winbind pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_read_winbind_pid',` - gen_require(` - type winbind_var_run_t; - ') - - files_search_pids($1) - allow $1 winbind_var_run_t:file read_file_perms; -') - -######################################## -## -## Connect to winbind. -## -## -## -## Domain allowed access. -## -## -# -interface(`samba_stream_connect_winbind',` - gen_require(` - type samba_var_t, winbind_t, winbind_var_run_t; - ') - - files_search_pids($1) - allow $1 samba_var_t:dir search_dir_perms; - stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) - - ifndef(`distro_redhat',` - gen_require(` - type winbind_tmp_t; - ') - - # the default for the socket is (poorly named): - # /tmp/.winbindd/pipe - files_search_tmp($1) - stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) - ') -') - -######################################## -## -## All of the rules required to administrate -## an samba environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the samba domain. -## -## -## -# -interface(`samba_admin',` - gen_require(` - type nmbd_t, nmbd_var_run_t; - type smbd_t, smbd_tmp_t; - type smbd_var_run_t; - type smbd_spool_t; - - type samba_log_t, samba_var_t; - type samba_etc_t, samba_share_t; - type samba_secrets_t; - - type swat_var_run_t, swat_tmp_t; - - type winbind_var_run_t, winbind_tmp_t; - type winbind_log_t; - - type samba_initrc_exec_t; - ') - - allow $1 smbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, smbd_t) - - allow $1 nmbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nmbd_t) - - samba_run_smbcontrol($1, $2, $3) - samba_run_winbind_helper($1, $2, $3) - samba_run_smbmount($1, $2, $3) - samba_run_net($1, $2, $3) - - init_labeled_script_domtrans($1, samba_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 samba_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, nmbd_var_run_t) - - admin_pattern($1, samba_etc_t) - files_list_etc($1) - - admin_pattern($1, samba_log_t) - logging_list_logs($1) - - admin_pattern($1, samba_secrets_t) - - admin_pattern($1, samba_share_t) - - admin_pattern($1, samba_var_t) - files_list_var($1) - - admin_pattern($1, smbd_spool_t) - files_list_spool($1) - - admin_pattern($1, smbd_var_run_t) - files_list_pids($1) - - admin_pattern($1, smbd_tmp_t) - files_list_tmp($1) - - admin_pattern($1, swat_var_run_t) - - admin_pattern($1, swat_tmp_t) - - admin_pattern($1, winbind_log_t) - - admin_pattern($1, winbind_tmp_t) - - admin_pattern($1, winbind_var_run_t) -') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te deleted file mode 100644 index fff6675dc..000000000 --- a/policy/modules/services/samba.te +++ /dev/null @@ -1,939 +0,0 @@ -policy_module(samba, 1.14.0) - -################################# -# -# Declarations -# - -## -##

-## Allow samba to modify public files used for public file -## transfer services. Files/Directories must be labeled -## public_content_rw_t. -##

-## -gen_tunable(allow_smbd_anon_write, false) - -## -##

-## Allow samba to create new home directories (e.g. via PAM) -##

-## -gen_tunable(samba_create_home_dirs, false) - -## -##

-## Allow samba to act as the domain controller, add users, -## groups and change passwords. -## -##

-## -gen_tunable(samba_domain_controller, false) - -## -##

-## Allow samba to share users home directories. -##

-## -gen_tunable(samba_enable_home_dirs, false) - -## -##

-## Allow samba to share any file/directory read only. -##

-## -gen_tunable(samba_export_all_ro, false) - -## -##

-## Allow samba to share any file/directory read/write. -##

-## -gen_tunable(samba_export_all_rw, false) - -## -##

-## Allow samba to run unconfined scripts -##

-## -gen_tunable(samba_run_unconfined, false) - -## -##

-## Allow samba to export NFS volumes. -##

-## -gen_tunable(samba_share_nfs, false) - -## -##

-## Allow samba to export ntfs/fusefs volumes. -##

-## -gen_tunable(samba_share_fusefs, false) - -type nmbd_t; -type nmbd_exec_t; -init_daemon_domain(nmbd_t, nmbd_exec_t) - -type nmbd_var_run_t; -files_pid_file(nmbd_var_run_t) - -type samba_etc_t; -files_config_file(samba_etc_t) - -type samba_initrc_exec_t; -init_script_file(samba_initrc_exec_t) - -type samba_log_t; -logging_log_file(samba_log_t) - -type samba_net_t; -type samba_net_exec_t; -application_domain(samba_net_t, samba_net_exec_t) -role system_r types samba_net_t; - -type samba_net_tmp_t; -files_tmp_file(samba_net_tmp_t) - -type samba_secrets_t; -files_type(samba_secrets_t) - -type samba_share_t; # customizable -files_type(samba_share_t) - -type samba_var_t; -files_type(samba_var_t) - -type smbcontrol_t; -type smbcontrol_exec_t; -application_domain(smbcontrol_t, smbcontrol_exec_t) -role system_r types smbcontrol_t; - -type smbd_t; -type smbd_exec_t; -init_daemon_domain(smbd_t, smbd_exec_t) - -type smbd_tmp_t; -files_tmp_file(smbd_tmp_t) - -type smbd_var_run_t; -files_pid_file(smbd_var_run_t) - -type smbmount_t; -domain_type(smbmount_t) - -type smbmount_exec_t; -domain_entry_file(smbmount_t, smbmount_exec_t) - -type swat_t; -type swat_exec_t; -domain_type(swat_t) -domain_entry_file(swat_t, swat_exec_t) -role system_r types swat_t; - -type swat_tmp_t; -files_tmp_file(swat_tmp_t) - -type swat_var_run_t; -files_pid_file(swat_var_run_t) - -type winbind_t; -type winbind_exec_t; -init_daemon_domain(winbind_t, winbind_exec_t) - -type winbind_helper_t; -domain_type(winbind_helper_t) -role system_r types winbind_helper_t; - -type winbind_helper_exec_t; -domain_entry_file(winbind_helper_t, winbind_helper_exec_t) - -type winbind_log_t; -logging_log_file(winbind_log_t) - -type winbind_tmp_t; -files_tmp_file(winbind_tmp_t) - -type winbind_var_run_t; -files_pid_file(winbind_var_run_t) - -######################################## -# -# Samba net local policy -# -allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; -allow samba_net_t self:process { getsched setsched }; -allow samba_net_t self:unix_dgram_socket create_socket_perms; -allow samba_net_t self:unix_stream_socket create_stream_socket_perms; -allow samba_net_t self:udp_socket create_socket_perms; -allow samba_net_t self:tcp_socket create_socket_perms; - -allow samba_net_t samba_etc_t:file read_file_perms; - -manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) -filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) -manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) -files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) - -manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) -manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) - -kernel_read_proc_symlinks(samba_net_t) -kernel_read_system_state(samba_net_t) - -corenet_all_recvfrom_unlabeled(samba_net_t) -corenet_all_recvfrom_netlabel(samba_net_t) -corenet_tcp_sendrecv_generic_if(samba_net_t) -corenet_udp_sendrecv_generic_if(samba_net_t) -corenet_raw_sendrecv_generic_if(samba_net_t) -corenet_tcp_sendrecv_generic_node(samba_net_t) -corenet_udp_sendrecv_generic_node(samba_net_t) -corenet_raw_sendrecv_generic_node(samba_net_t) -corenet_tcp_sendrecv_all_ports(samba_net_t) -corenet_udp_sendrecv_all_ports(samba_net_t) -corenet_tcp_bind_generic_node(samba_net_t) -corenet_udp_bind_generic_node(samba_net_t) -corenet_tcp_connect_smbd_port(samba_net_t) - -dev_read_urand(samba_net_t) - -domain_use_interactive_fds(samba_net_t) - -files_read_etc_files(samba_net_t) -files_read_usr_symlinks(samba_net_t) - -auth_use_nsswitch(samba_net_t) -auth_manage_cache(samba_net_t) - -logging_send_syslog_msg(samba_net_t) - -miscfiles_read_localization(samba_net_t) - -samba_read_var_files(samba_net_t) - -userdom_use_user_terminals(samba_net_t) -userdom_list_user_home_dirs(samba_net_t) - -optional_policy(` - pcscd_read_pub_files(samba_net_t) -') - -optional_policy(` - kerberos_use(samba_net_t) -') - -######################################## -# -# smbd Local policy -# -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; -dontaudit smbd_t self:capability sys_tty_config; -allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow smbd_t self:process setrlimit; -allow smbd_t self:fd use; -allow smbd_t self:fifo_file rw_fifo_file_perms; -allow smbd_t self:msg { send receive }; -allow smbd_t self:msgq create_msgq_perms; -allow smbd_t self:sem create_sem_perms; -allow smbd_t self:shm create_shm_perms; -allow smbd_t self:sock_file read_sock_file_perms; -allow smbd_t self:tcp_socket create_stream_socket_perms; -allow smbd_t self:udp_socket create_socket_perms; -allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -allow smbd_t nmbd_t:process { signal signull }; - -allow smbd_t nmbd_var_run_t:file rw_file_perms; - -allow smbd_t samba_etc_t:file { rw_file_perms setattr }; - -manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) -manage_files_pattern(smbd_t, samba_log_t, samba_log_t) - -allow smbd_t samba_net_tmp_t:file getattr; - -manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) -filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) -manage_files_pattern(smbd_t, samba_share_t, samba_share_t) -manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) -allow smbd_t samba_share_t:filesystem getattr; - -manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) -manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) -manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) - -allow smbd_t smbcontrol_t:process { signal signull }; - -manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) -manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) -files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) - -manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -files_pid_filetrans(smbd_t, smbd_var_run_t, file) - -allow smbd_t swat_t:process signal; - -allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; - -allow smbd_t winbind_t:process { signal signull }; - -kernel_getattr_core_if(smbd_t) -kernel_getattr_message_if(smbd_t) -kernel_read_network_state(smbd_t) -kernel_read_fs_sysctls(smbd_t) -kernel_read_kernel_sysctls(smbd_t) -kernel_read_software_raid_state(smbd_t) -kernel_read_system_state(smbd_t) - -corecmd_exec_shell(smbd_t) -corecmd_exec_bin(smbd_t) - -corenet_all_recvfrom_unlabeled(smbd_t) -corenet_all_recvfrom_netlabel(smbd_t) -corenet_tcp_sendrecv_generic_if(smbd_t) -corenet_udp_sendrecv_generic_if(smbd_t) -corenet_raw_sendrecv_generic_if(smbd_t) -corenet_tcp_sendrecv_generic_node(smbd_t) -corenet_udp_sendrecv_generic_node(smbd_t) -corenet_raw_sendrecv_generic_node(smbd_t) -corenet_tcp_sendrecv_all_ports(smbd_t) -corenet_udp_sendrecv_all_ports(smbd_t) -corenet_tcp_bind_generic_node(smbd_t) -corenet_udp_bind_generic_node(smbd_t) -corenet_tcp_bind_smbd_port(smbd_t) -corenet_tcp_connect_ipp_port(smbd_t) -corenet_tcp_connect_smbd_port(smbd_t) - -dev_read_sysfs(smbd_t) -dev_read_urand(smbd_t) -dev_getattr_mtrr_dev(smbd_t) -dev_dontaudit_getattr_usbfs_dirs(smbd_t) -# For redhat bug 566984 -dev_getattr_all_blk_files(smbd_t) -dev_getattr_all_chr_files(smbd_t) - -fs_getattr_all_fs(smbd_t) -fs_get_xattr_fs_quotas(smbd_t) -fs_search_auto_mountpoints(smbd_t) -fs_getattr_rpc_dirs(smbd_t) -fs_list_inotifyfs(smbd_t) - -auth_use_nsswitch(smbd_t) -auth_domtrans_chk_passwd(smbd_t) -auth_domtrans_upd_passwd(smbd_t) -auth_manage_cache(smbd_t) - -domain_use_interactive_fds(smbd_t) -domain_dontaudit_list_all_domains_state(smbd_t) - -files_list_var_lib(smbd_t) -files_read_etc_files(smbd_t) -files_read_etc_runtime_files(smbd_t) -files_read_usr_files(smbd_t) -files_search_spool(smbd_t) -# smbd seems to getattr all mountpoints -files_dontaudit_getattr_all_dirs(smbd_t) -# Allow samba to list mnt_t for potential mounted dirs -files_list_mnt(smbd_t) - -init_rw_utmp(smbd_t) - -logging_search_logs(smbd_t) -logging_send_syslog_msg(smbd_t) - -miscfiles_read_localization(smbd_t) -miscfiles_read_public_files(smbd_t) - -userdom_use_unpriv_users_fds(smbd_t) -userdom_search_user_home_content(smbd_t) -userdom_signal_all_users(smbd_t) - -usermanage_read_crack_db(smbd_t) - -term_use_ptmx(smbd_t) - -ifdef(`hide_broken_symptoms', ` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) - fs_dontaudit_getattr_tmpfs_dirs(smbd_t) -') - -tunable_policy(`allow_smbd_anon_write',` - miscfiles_manage_public_files(smbd_t) -') - -tunable_policy(`samba_domain_controller',` - gen_require(` - class passwd passwd; - ') - - usermanage_domtrans_passwd(smbd_t) - usermanage_kill_passwd(smbd_t) - usermanage_domtrans_useradd(smbd_t) - usermanage_domtrans_groupadd(smbd_t) - allow smbd_t self:passwd passwd; -') - -tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_content_dirs(smbd_t) - userdom_manage_user_home_content_files(smbd_t) - userdom_manage_user_home_content_symlinks(smbd_t) - userdom_manage_user_home_content_sockets(smbd_t) - userdom_manage_user_home_content_pipes(smbd_t) - userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) -') - -# Support Samba sharing of NFS mount points -tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) - fs_manage_nfs_symlinks(smbd_t) - fs_manage_nfs_named_pipes(smbd_t) - fs_manage_nfs_named_sockets(smbd_t) -') - -# Support Samba sharing of ntfs/fusefs mount points -tunable_policy(`samba_share_fusefs',` - fs_manage_fusefs_dirs(smbd_t) - fs_manage_fusefs_files(smbd_t) -',` - fs_search_fusefs(smbd_t) -') - -optional_policy(` - cups_read_rw_config(smbd_t) - cups_stream_connect(smbd_t) -') - -optional_policy(` - kerberos_use(smbd_t) - kerberos_keytab_template(smbd, smbd_t) -') - -optional_policy(` - lpd_exec_lpr(smbd_t) -') - -optional_policy(` - qemu_manage_tmp_dirs(smbd_t) - qemu_manage_tmp_files(smbd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(smbd_t) -') - -optional_policy(` - seutil_sigchld_newrole(smbd_t) -') - -optional_policy(` - udev_read_db(smbd_t) -') - -tunable_policy(`samba_create_home_dirs',` - allow smbd_t self:capability chown; - userdom_create_user_home_dirs(smbd_t) - userdom_home_filetrans_user_home_dir(smbd_t) -') - -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(smbd_t) - auth_read_all_dirs_except_auth_files(smbd_t) - auth_read_all_files_except_auth_files(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) - auth_read_all_dirs_except_auth_files(nmbd_t) - auth_read_all_files_except_auth_files(nmbd_t) -') - -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(smbd_t) - auth_manage_all_files_except_auth_files(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) - auth_manage_all_files_except_auth_files(nmbd_t) - userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -') - -######################################## -# -# nmbd Local policy -# - -dontaudit nmbd_t self:capability sys_tty_config; -allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow nmbd_t self:fd use; -allow nmbd_t self:fifo_file rw_fifo_file_perms; -allow nmbd_t self:msg { send receive }; -allow nmbd_t self:msgq create_msgq_perms; -allow nmbd_t self:sem create_sem_perms; -allow nmbd_t self:shm create_shm_perms; -allow nmbd_t self:sock_file read_sock_file_perms; -allow nmbd_t self:tcp_socket create_stream_socket_perms; -allow nmbd_t self:udp_socket create_socket_perms; -allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) - -read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - -manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) -manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) - -allow nmbd_t smbcontrol_t:process signal; - -allow nmbd_t smbd_var_run_t:dir rw_dir_perms; - -kernel_getattr_core_if(nmbd_t) -kernel_getattr_message_if(nmbd_t) -kernel_read_kernel_sysctls(nmbd_t) -kernel_read_network_state(nmbd_t) -kernel_read_software_raid_state(nmbd_t) -kernel_read_system_state(nmbd_t) - -corenet_all_recvfrom_unlabeled(nmbd_t) -corenet_all_recvfrom_netlabel(nmbd_t) -corenet_tcp_sendrecv_generic_if(nmbd_t) -corenet_udp_sendrecv_generic_if(nmbd_t) -corenet_tcp_sendrecv_generic_node(nmbd_t) -corenet_udp_sendrecv_generic_node(nmbd_t) -corenet_tcp_sendrecv_all_ports(nmbd_t) -corenet_udp_sendrecv_all_ports(nmbd_t) -corenet_udp_bind_generic_node(nmbd_t) -corenet_udp_bind_nmbd_port(nmbd_t) -corenet_sendrecv_nmbd_server_packets(nmbd_t) -corenet_sendrecv_nmbd_client_packets(nmbd_t) -corenet_tcp_connect_smbd_port(nmbd_t) - -dev_read_sysfs(nmbd_t) -dev_getattr_mtrr_dev(nmbd_t) - -fs_getattr_all_fs(nmbd_t) -fs_search_auto_mountpoints(nmbd_t) - -domain_use_interactive_fds(nmbd_t) - -files_read_usr_files(nmbd_t) -files_read_etc_files(nmbd_t) -files_list_var_lib(nmbd_t) - -auth_use_nsswitch(nmbd_t) - -logging_search_logs(nmbd_t) -logging_send_syslog_msg(nmbd_t) - -miscfiles_read_localization(nmbd_t) - -userdom_use_unpriv_users_fds(nmbd_t) -userdom_dontaudit_search_user_home_dirs(nmbd_t) - -optional_policy(` - seutil_sigchld_newrole(nmbd_t) -') - -optional_policy(` - udev_read_db(nmbd_t) -') - -######################################## -# -# smbcontrol local policy -# - -# internal communication is often done using fifo and unix sockets. -allow smbcontrol_t self:fifo_file rw_file_perms; -allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; - -allow smbcontrol_t nmbd_t:process { signal signull }; - -allow smbcontrol_t nmbd_var_run_t:file { read lock }; - -allow smbcontrol_t smbd_t:process signal; - -allow smbcontrol_t winbind_t:process { signal signull }; - -samba_read_config(smbcontrol_t) -samba_rw_var_files(smbcontrol_t) -samba_search_var(smbcontrol_t) -samba_read_winbind_pid(smbcontrol_t) - -domain_use_interactive_fds(smbcontrol_t) - -files_read_etc_files(smbcontrol_t) - -miscfiles_read_localization(smbcontrol_t) - -userdom_use_user_terminals(smbcontrol_t) - -######################################## -# -# smbmount Local policy -# - -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? -allow smbmount_t self:process { fork signal_perms }; -allow smbmount_t self:tcp_socket create_stream_socket_perms; -allow smbmount_t self:udp_socket connect; -allow smbmount_t self:unix_dgram_socket create_socket_perms; -allow smbmount_t self:unix_stream_socket create_socket_perms; - -allow smbmount_t samba_etc_t:dir list_dir_perms; -allow smbmount_t samba_etc_t:file read_file_perms; - -can_exec(smbmount_t, smbmount_exec_t) - -allow smbmount_t samba_log_t:dir list_dir_perms; -allow smbmount_t samba_log_t:file manage_file_perms; - -allow smbmount_t samba_secrets_t:file manage_file_perms; - -manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) -files_list_var_lib(smbmount_t) - -kernel_read_system_state(smbmount_t) - -corenet_all_recvfrom_unlabeled(smbmount_t) -corenet_all_recvfrom_netlabel(smbmount_t) -corenet_tcp_sendrecv_generic_if(smbmount_t) -corenet_raw_sendrecv_generic_if(smbmount_t) -corenet_udp_sendrecv_generic_if(smbmount_t) -corenet_tcp_sendrecv_generic_node(smbmount_t) -corenet_raw_sendrecv_generic_node(smbmount_t) -corenet_udp_sendrecv_generic_node(smbmount_t) -corenet_tcp_sendrecv_all_ports(smbmount_t) -corenet_udp_sendrecv_all_ports(smbmount_t) -corenet_tcp_bind_generic_node(smbmount_t) -corenet_udp_bind_generic_node(smbmount_t) -corenet_tcp_connect_all_ports(smbmount_t) - -fs_getattr_cifs(smbmount_t) -fs_mount_cifs(smbmount_t) -fs_remount_cifs(smbmount_t) -fs_unmount_cifs(smbmount_t) -fs_list_cifs(smbmount_t) -fs_read_cifs_files(smbmount_t) - -storage_raw_read_fixed_disk(smbmount_t) -storage_raw_write_fixed_disk(smbmount_t) - -corecmd_list_bin(smbmount_t) - -files_list_mnt(smbmount_t) -files_mounton_mnt(smbmount_t) -files_manage_etc_runtime_files(smbmount_t) -files_etc_filetrans_etc_runtime(smbmount_t, file) -files_read_etc_files(smbmount_t) - -auth_use_nsswitch(smbmount_t) - -miscfiles_read_localization(smbmount_t) - -mount_use_fds(smbmount_t) - -locallogin_use_fds(smbmount_t) - -logging_search_logs(smbmount_t) - -userdom_use_user_terminals(smbmount_t) -userdom_use_all_users_fds(smbmount_t) - -optional_policy(` - cups_read_rw_config(smbmount_t) -') - -######################################## -# -# SWAT Local policy -# - -allow swat_t self:capability { dac_override setuid setgid sys_resource }; -allow swat_t self:process { setrlimit signal_perms }; -allow swat_t self:fifo_file rw_fifo_file_perms; -allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow swat_t self:tcp_socket create_stream_socket_perms; -allow swat_t self:udp_socket create_socket_perms; -allow swat_t self:unix_stream_socket connectto; - -samba_domtrans_smbd(swat_t) -allow swat_t smbd_t:process { signal signull }; - -samba_domtrans_nmbd(swat_t) -allow swat_t nmbd_t:process { signal signull }; -allow nmbd_t swat_t:process signal; - -allow swat_t smbd_var_run_t:file { lock unlink }; - -allow swat_t smbd_port_t:tcp_socket name_bind; - -allow swat_t nmbd_port_t:udp_socket name_bind; - -rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) - -manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -manage_files_pattern(swat_t, samba_log_t, samba_log_t) - -manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) - -manage_files_pattern(swat_t, samba_var_t, samba_var_t) - -allow swat_t smbd_exec_t:file mmap_file_perms ; - -allow swat_t smbd_t:process signull; - -allow swat_t smbd_var_run_t:file read_file_perms; - -manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) -manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) - -manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) -files_pid_filetrans(swat_t, swat_var_run_t, file) - -allow swat_t winbind_exec_t:file mmap_file_perms; -domtrans_pattern(swat_t, winbind_exec_t, winbind_t) -allow swat_t winbind_t:process { signal signull }; - -allow swat_t winbind_var_run_t:dir { write add_name remove_name }; -allow swat_t winbind_var_run_t:sock_file { create unlink }; - -kernel_read_kernel_sysctls(swat_t) -kernel_read_system_state(swat_t) -kernel_read_network_state(swat_t) - -corecmd_search_bin(swat_t) - -corenet_all_recvfrom_unlabeled(swat_t) -corenet_all_recvfrom_netlabel(swat_t) -corenet_tcp_sendrecv_generic_if(swat_t) -corenet_udp_sendrecv_generic_if(swat_t) -corenet_raw_sendrecv_generic_if(swat_t) -corenet_tcp_sendrecv_generic_node(swat_t) -corenet_udp_sendrecv_generic_node(swat_t) -corenet_raw_sendrecv_generic_node(swat_t) -corenet_tcp_sendrecv_all_ports(swat_t) -corenet_udp_sendrecv_all_ports(swat_t) -corenet_tcp_connect_smbd_port(swat_t) -corenet_tcp_connect_ipp_port(swat_t) -corenet_sendrecv_smbd_client_packets(swat_t) -corenet_sendrecv_ipp_client_packets(swat_t) - -dev_read_urand(swat_t) - -files_list_var_lib(swat_t) -files_read_etc_files(swat_t) -files_search_home(swat_t) -files_read_usr_files(swat_t) -fs_getattr_xattr_fs(swat_t) - -auth_domtrans_chk_passwd(swat_t) -auth_use_nsswitch(swat_t) - -init_read_utmp(swat_t) -init_dontaudit_write_utmp(swat_t) - -logging_send_syslog_msg(swat_t) -logging_send_audit_msgs(swat_t) -logging_search_logs(swat_t) - -miscfiles_read_localization(swat_t) - -optional_policy(` - cups_read_rw_config(swat_t) - cups_stream_connect(swat_t) -') - -optional_policy(` - inetd_service_domain(swat_t, swat_exec_t) -') - -optional_policy(` - kerberos_use(swat_t) -') - -######################################## -# -# Winbind local policy -# - -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; -dontaudit winbind_t self:capability sys_tty_config; -allow winbind_t self:process { signal_perms getsched setsched }; -allow winbind_t self:fifo_file rw_fifo_file_perms; -allow winbind_t self:unix_dgram_socket create_socket_perms; -allow winbind_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_t self:tcp_socket create_stream_socket_perms; -allow winbind_t self:udp_socket create_socket_perms; - -allow winbind_t nmbd_t:process { signal signull }; - -allow winbind_t nmbd_var_run_t:file read_file_perms; - -allow winbind_t samba_etc_t:dir list_dir_perms; -read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t) - -manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) -filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) - -manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) -manage_files_pattern(winbind_t, samba_log_t, samba_log_t) -manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) - -manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -manage_files_pattern(winbind_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) -files_list_var_lib(winbind_t) - -rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) - -allow winbind_t winbind_log_t:file manage_file_perms; -logging_log_filetrans(winbind_t, winbind_log_t, file) - -manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) - -manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, file) - -kernel_read_kernel_sysctls(winbind_t) -kernel_read_system_state(winbind_t) - -corecmd_exec_bin(winbind_t) - -corenet_all_recvfrom_unlabeled(winbind_t) -corenet_all_recvfrom_netlabel(winbind_t) -corenet_tcp_sendrecv_generic_if(winbind_t) -corenet_udp_sendrecv_generic_if(winbind_t) -corenet_raw_sendrecv_generic_if(winbind_t) -corenet_tcp_sendrecv_generic_node(winbind_t) -corenet_udp_sendrecv_generic_node(winbind_t) -corenet_raw_sendrecv_generic_node(winbind_t) -corenet_tcp_sendrecv_all_ports(winbind_t) -corenet_udp_sendrecv_all_ports(winbind_t) -corenet_tcp_bind_generic_node(winbind_t) -corenet_udp_bind_generic_node(winbind_t) -corenet_tcp_connect_smbd_port(winbind_t) -corenet_tcp_connect_epmap_port(winbind_t) -corenet_tcp_connect_all_unreserved_ports(winbind_t) - -dev_read_sysfs(winbind_t) -dev_read_urand(winbind_t) - -fs_getattr_all_fs(winbind_t) -fs_search_auto_mountpoints(winbind_t) - -auth_domtrans_chk_passwd(winbind_t) -auth_use_nsswitch(winbind_t) -auth_manage_cache(winbind_t) - -domain_use_interactive_fds(winbind_t) - -files_read_etc_files(winbind_t) -files_read_usr_symlinks(winbind_t) - -logging_send_syslog_msg(winbind_t) - -miscfiles_read_localization(winbind_t) - -userdom_dontaudit_use_unpriv_user_fds(winbind_t) -userdom_manage_user_home_content_dirs(winbind_t) -userdom_manage_user_home_content_files(winbind_t) -userdom_manage_user_home_content_symlinks(winbind_t) -userdom_manage_user_home_content_pipes(winbind_t) -userdom_manage_user_home_content_sockets(winbind_t) -userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) - -optional_policy(` - kerberos_use(winbind_t) -') - -optional_policy(` - seutil_sigchld_newrole(winbind_t) -') - -optional_policy(` - udev_read_db(winbind_t) -') - -######################################## -# -# Winbind helper local policy -# - -allow winbind_helper_t self:unix_dgram_socket create_socket_perms; -allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; - -allow winbind_helper_t samba_etc_t:dir list_dir_perms; -read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) -read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) - -allow winbind_helper_t samba_var_t:dir search_dir_perms; -files_list_var_lib(winbind_helper_t) - -allow winbind_t smbcontrol_t:process signal; - -stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) - -term_list_ptys(winbind_helper_t) - -domain_use_interactive_fds(winbind_helper_t) - -auth_use_nsswitch(winbind_helper_t) - -logging_send_syslog_msg(winbind_helper_t) - -miscfiles_read_localization(winbind_helper_t) - -userdom_use_user_terminals(winbind_helper_t) - -optional_policy(` - apache_append_log(winbind_helper_t) -') - -optional_policy(` - squid_read_log(winbind_helper_t) - squid_append_log(winbind_helper_t) - squid_rw_stream_sockets(winbind_helper_t) -') - -######################################## -# -# samba_unconfined_script_t local policy -# - -optional_policy(` - type samba_unconfined_script_t; - type samba_unconfined_script_exec_t; - domain_type(samba_unconfined_script_t) - domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) - corecmd_shell_entry_type(samba_unconfined_script_t) - role system_r types samba_unconfined_script_t; - - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; - - unconfined_domain(samba_unconfined_script_t) - - tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) - ') -') diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc deleted file mode 100644 index 94b2f7384..000000000 --- a/policy/modules/services/samhain.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,s0) - -/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh) - -/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0) -/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0) - -/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh) - -/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) -/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) - -/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh) diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if deleted file mode 100644 index c040ebf81..000000000 --- a/policy/modules/services/samhain.if +++ /dev/null @@ -1,292 +0,0 @@ -## Samhain - check file integrity - -####################################### -## -## The template containing the most basic rules -## common to the samhain domains. -## -## -## -## The prefix of the samhain domains(e.g., samhain -## for the domain of command line access, samhaind -## for the domain started by init script). -## -## -## -# -template(`samhain_service_template',` - gen_require(` - type etc_t, samhain_etc_t, samhain_exec_t; - type samhain_log_t, samhain_var_run_t; - ') - - type $1_t; - domain_type($1_t) - domain_entry_file($1_t, samhain_exec_t) - - allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock }; - dontaudit $1_t self:capability { sys_resource sys_ptrace }; - allow $1_t self:fd use; - allow $1_t self:process { setsched setrlimit signull }; - - allow $1_t samhain_etc_t:file read_file_perms; - files_search_etc($1_t) - - manage_files_pattern($1_t, samhain_log_t, samhain_log_t) - logging_log_filetrans($1_t, samhain_log_t, file) - - manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t) - files_pid_filetrans($1_t, samhain_var_run_t, file) - - # Samhain needs to get the attribute of /proc/kcore. - kernel_getattr_core_if($1_t) - - corecmd_list_bin($1_t) - corecmd_read_bin_symlinks($1_t) - - # To get entropy - dev_read_urand($1_t) - dev_dontaudit_read_rand($1_t) - - # Get the attributes of all kinds of files in the rootfs. - dev_getattr_all_blk_files($1_t) - dev_getattr_all_chr_files($1_t) - dev_getattr_generic_blk_files($1_t) - dev_getattr_generic_chr_files($1_t) - - files_getattr_all_dirs($1_t) - files_getattr_all_files($1_t) - files_getattr_all_symlinks($1_t) - files_getattr_all_pipes($1_t) - files_getattr_all_sockets($1_t) - files_getattr_all_mountpoints($1_t) - files_read_all_files($1_t) - files_read_all_symlinks($1_t) - - # Get the attribute of other filesystems mountpoint, such as /selinux - # /proc, /sys and /tmp, but not the contents inside, which suggests - # that following rules should be set in samhain configuration file: - # [Attributes] - # file = /tmp - # file = /proc - # file = /sys - # file = /selinux - # [IgnoreALL] - # dir = -1/tmp - # dir = -1/proc - # dir = -1/sys - # dir = -1/selinux - fs_getattr_all_dirs($1_t) - - # Samhain pid, log and log.lock files are all in directories of s0, - # while samhain daemon is running with the clearance level. - mls_file_write_all_levels($1_t) - - # Read from utmp when monitoring login/logout events. - auth_read_login_records($1_t) - - # Read from wtmp when monitoring login/logout events. - init_read_utmp($1_t) - - logging_send_syslog_msg($1_t) -') - -######################################## -## -## Execute samhain in the samhain domain -## -## -## -## Domain allowed to transition. -## -## -# -interface(`samhain_domtrans',` - gen_require(` - type samhain_t, samhain_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samhain_exec_t, samhain_t) -') - -######################################## -## -## Execute samhain in the samhain domain with the clearance security -## level and allow the specifiled role the samhain domain. -## -## -##

-## Execute samhain in the samhain domain with the clearance security -## level and allow the specifiled role the samhain domain. -##

-##

-## The range_transition rule used in this interface requires that -## the calling domain should have the clearance security level -## otherwise the MLS constraint for process transition would fail. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed to access. -## -## -## -# -interface(`samhain_run',` - gen_require(` - type samhain_t, samhain_exec_t; - ') - - samhain_domtrans($1) - role $2 types samhain_t; - - ifdef(`enable_mls', ` - range_transition $1 samhain_exec_t:process mls_systemhigh; - ') -') - -######################################## -## -## Manage samhain configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samhain_manage_config_files',` - gen_require(` - type samhain_etc_t; - ') - - files_rw_etc_dirs($1) - allow $1 samhain_etc_t:file manage_file_perms; -') - -######################################## -## -## Manage samhain database files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samhain_manage_db_files',` - gen_require(` - type samhain_db_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, samhain_db_t, samhain_db_t) -') - -####################################### -## -## Manage samhain init script files -## -## -## -## Domain allowed access. -## -## -# -interface(`samhain_manage_init_script_files',` - gen_require(` - type samhain_initrc_exec_t; - ') - - files_search_etc($1) - manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) -') - -######################################## -## -## Manage samhain log and log.lock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samhain_manage_log_files',` - gen_require(` - type samhain_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, samhain_log_t, samhain_log_t) -') - -######################################## -## -## Manage samhain pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`samhain_manage_pid_files',` - gen_require(` - type samhain_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) -') - -####################################### -## -## All of the rules required to administrate -## the samhain environment. -## -## -##

-## This interface assumes that the calling domain has been able to -## remove an entry from /var/lib/ or /var/log/ and belongs to the -## mlsfilewrite attribute, since samhain files may be of clearance -## security level while their parent directories are of s0. -##

-## -## -## -## Domain allowed access. -## -## -# -interface(`samhain_admin',` - gen_require(` - type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t; - type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; - ') - - allow $1 samhain_t:process { ptrace signal_perms }; - ps_process_pattern($1, samhain_t) - - allow $1 samhaind_t:process { ptrace signal_perms }; - ps_process_pattern($1, samhaind_t) - - files_list_var_lib($1) - admin_pattern($1, samhain_db_t) - - files_list_etc($1) - admin_pattern($1, samhain_etc_t) - admin_pattern($1, samhain_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, samhain_log_t) - - files_list_pids($1) - admin_pattern($1, samhain_var_run_t) -') diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te deleted file mode 100644 index acd170031..000000000 --- a/policy/modules/services/samhain.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(samhain, 1.1.0) - -######################################## -# -# Declarations -# - -type samhain_etc_t; -files_config_file(samhain_etc_t) - -type samhain_exec_t; -corecmd_executable_file(samhain_exec_t) - -type samhain_log_t; -logging_log_file(samhain_log_t) - -# Filesystem signature database -type samhain_db_t; -files_type(samhain_db_t) - -type samhain_initrc_exec_t; -init_script_file(samhain_initrc_exec_t) - -type samhain_var_run_t; -files_pid_file(samhain_var_run_t) - -# Domain for command line access -samhain_service_template(samhain) -application_domain(samhain_t, samhain_exec_t) - -# Domain for samhain service started by samhain init script -samhain_service_template(samhaind) - -ifdef(`enable_mcs',` - # This is system instead of daemon to work around - # a type transition conflict - init_ranged_system_domain(samhaind_t, samhain_exec_t, mcs_systemhigh) -') - -ifdef(`enable_mls',` - # This is system instead of daemon to work around - # a type transition conflict - init_ranged_system_domain(samhaind_t, samhain_exec_t, mls_systemhigh) -') - -######################################## -# -# Samhain local policy -# - -manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) -files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) - -domain_use_interactive_fds(samhain_t) - -seutil_sigchld_newrole(samhain_t) - -userdom_use_user_terminals(samhain_t) - -######################################## -# -# Samhaind local policy -# - -# Need signal_perms to send SIGABRT/SIGKILL to termiate samhain_t -# Need signull to get the status of samhain_t -allow samhaind_t { samhain_t self }:process signal_perms; - -# Only needed when starting samhain daemon from its init script. -can_exec(samhaind_t, samhain_exec_t) - -read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t) - -# init script ptys are the stdin/out/err -# when using run_init -init_use_script_ptys(samhaind_t) diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc deleted file mode 100644 index 7e5867968..000000000 --- a/policy/modules/services/sasl.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) - -# -# /var -# -/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) -/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if deleted file mode 100644 index f1aea88a7..000000000 --- a/policy/modules/services/sasl.if +++ /dev/null @@ -1,58 +0,0 @@ -## SASL authentication server - -######################################## -## -## Connect to SASL. -## -## -## -## Domain allowed access. -## -## -# -interface(`sasl_connect',` - gen_require(` - type saslauthd_t, saslauthd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t) -') - -######################################## -## -## All of the rules required to administrate -## an sasl environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`sasl_admin',` - gen_require(` - type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; - type saslauthd_initrc_exec_t; - ') - - allow $1 saslauthd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, saslauthd_t) - - init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 saslauthd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, saslauthd_tmp_t) - - files_list_pids($1) - admin_pattern($1, saslauthd_var_run_t) -') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te deleted file mode 100644 index 9d9f8cef7..000000000 --- a/policy/modules/services/sasl.te +++ /dev/null @@ -1,110 +0,0 @@ -policy_module(sasl, 1.14.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow sasl to read shadow -##

-## -gen_tunable(allow_saslauthd_read_shadow, false) - -type saslauthd_t; -type saslauthd_exec_t; -init_daemon_domain(saslauthd_t, saslauthd_exec_t) - -type saslauthd_initrc_exec_t; -init_script_file(saslauthd_initrc_exec_t) - -type saslauthd_tmp_t; -files_tmp_file(saslauthd_tmp_t) - -type saslauthd_var_run_t; -files_pid_file(saslauthd_var_run_t) - -######################################## -# -# Local policy -# - -allow saslauthd_t self:capability { setgid setuid }; -dontaudit saslauthd_t self:capability sys_tty_config; -allow saslauthd_t self:process signal_perms; -allow saslauthd_t self:fifo_file rw_fifo_file_perms; -allow saslauthd_t self:unix_dgram_socket create_socket_perms; -allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; -allow saslauthd_t self:tcp_socket create_socket_perms; - -allow saslauthd_t saslauthd_tmp_t:dir setattr; -manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) -files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) - -manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file) - -kernel_read_kernel_sysctls(saslauthd_t) -kernel_read_system_state(saslauthd_t) - -corenet_all_recvfrom_unlabeled(saslauthd_t) -corenet_all_recvfrom_netlabel(saslauthd_t) -corenet_tcp_sendrecv_generic_if(saslauthd_t) -corenet_tcp_sendrecv_generic_node(saslauthd_t) -corenet_tcp_sendrecv_all_ports(saslauthd_t) -corenet_tcp_connect_pop_port(saslauthd_t) -corenet_sendrecv_pop_client_packets(saslauthd_t) - -dev_read_urand(saslauthd_t) - -fs_getattr_all_fs(saslauthd_t) -fs_search_auto_mountpoints(saslauthd_t) - -selinux_compute_access_vector(saslauthd_t) - -auth_use_pam(saslauthd_t) - -domain_use_interactive_fds(saslauthd_t) - -files_read_etc_files(saslauthd_t) -files_dontaudit_read_etc_runtime_files(saslauthd_t) -files_search_var_lib(saslauthd_t) -files_dontaudit_getattr_home_dir(saslauthd_t) -files_dontaudit_getattr_tmp_dirs(saslauthd_t) - -init_dontaudit_stream_connect_script(saslauthd_t) - -logging_send_syslog_msg(saslauthd_t) - -miscfiles_read_localization(saslauthd_t) -miscfiles_read_generic_certs(saslauthd_t) - -seutil_dontaudit_read_config(saslauthd_t) - -userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) -userdom_dontaudit_search_user_home_dirs(saslauthd_t) - -# cjp: typeattribute doesnt work in conditionals -auth_can_read_shadow_passwords(saslauthd_t) -tunable_policy(`allow_saslauthd_read_shadow',` - auth_tunable_read_shadow(saslauthd_t) -') - -optional_policy(` - kerberos_keytab_template(saslauthd, saslauthd_t) -') - -optional_policy(` - mysql_search_db(saslauthd_t) - mysql_stream_connect(saslauthd_t) -') - -optional_policy(` - seutil_sigchld_newrole(saslauthd_t) -') - -optional_policy(` - udev_read_db(saslauthd_t) -') diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc deleted file mode 100644 index a86ec50e4..000000000 --- a/policy/modules/services/sendmail.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) -/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) - -/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if deleted file mode 100644 index 7e94c7cfa..000000000 --- a/policy/modules/services/sendmail.if +++ /dev/null @@ -1,297 +0,0 @@ -## Policy for sendmail. - -######################################## -## -## Sendmail stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_stub',` - gen_require(` - type sendmail_t; - ') -') - -######################################## -## -## Allow attempts to read and write to -## sendmail unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_rw_pipes',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Domain transition to sendmail. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sendmail_domtrans',` - gen_require(` - type sendmail_t; - ') - - mta_sendmail_domtrans($1, sendmail_t) - - allow sendmail_t $1:fd use; - allow sendmail_t $1:fifo_file rw_file_perms; - allow sendmail_t $1:process sigchld; -') - -######################################## -## -## Execute the sendmail program in the sendmail domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the sendmail domain. -## -## -## -# -interface(`sendmail_run',` - gen_require(` - type sendmail_t; - ') - - sendmail_domtrans($1) - role $2 types sendmail_t; -') - -######################################## -## -## Send generic signals to sendmail. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_signal',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:process signal; -') - -######################################## -## -## Read and write sendmail TCP sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_rw_tcp_sockets',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:tcp_socket { read write }; -') - -######################################## -## -## Do not audit attempts to read and write -## sendmail TCP sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`sendmail_dontaudit_rw_tcp_sockets',` - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:tcp_socket { read write }; -') - -######################################## -## -## Read and write sendmail unix_stream_sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_rw_unix_stream_sockets',` - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; -') - -######################################## -## -## Do not audit attempts to read and write -## sendmail unix_stream_sockets. -## -## -## -## Domain to not audit. -## -## -# -interface(`sendmail_dontaudit_rw_unix_stream_sockets',` - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; -') - -######################################## -## -## Read sendmail logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sendmail_read_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, sendmail_log_t, sendmail_log_t) -') - -######################################## -## -## Create, read, write, and delete sendmail logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sendmail_manage_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sendmail_log_t, sendmail_log_t) -') - -######################################## -## -## Create sendmail logs with the correct type. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_create_log',` - gen_require(` - type sendmail_log_t; - ') - - logging_log_filetrans($1, sendmail_log_t, file) -') - -######################################## -## -## Manage sendmail tmp files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sendmail_manage_tmp_files',` - gen_require(` - type sendmail_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t) -') - -######################################## -## -## Execute sendmail in the unconfined sendmail domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sendmail_domtrans_unconfined',` - gen_require(` - type unconfined_sendmail_t; - ') - - mta_sendmail_domtrans($1, unconfined_sendmail_t) -') - -######################################## -## -## Execute sendmail in the unconfined sendmail domain, and -## allow the specified role the unconfined sendmail domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`sendmail_run_unconfined',` - gen_require(` - type unconfined_sendmail_t; - ') - - sendmail_domtrans_unconfined($1) - role $2 types unconfined_sendmail_t; -') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te deleted file mode 100644 index 22dac1fe9..000000000 --- a/policy/modules/services/sendmail.te +++ /dev/null @@ -1,187 +0,0 @@ -policy_module(sendmail, 1.11.0) - -######################################## -# -# Declarations -# - -type sendmail_log_t; -logging_log_file(sendmail_log_t) - -type sendmail_tmp_t; -files_tmp_file(sendmail_tmp_t) - -type sendmail_var_run_t; -files_pid_file(sendmail_var_run_t) - -type sendmail_t; -mta_sendmail_mailserver(sendmail_t) -mta_mailserver_delivery(sendmail_t) -mta_mailserver_sender(sendmail_t) - -type unconfined_sendmail_t; -application_domain(unconfined_sendmail_t, sendmail_exec_t) -role system_r types unconfined_sendmail_t; - -######################################## -# -# Sendmail local policy -# - -allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; -allow sendmail_t self:fifo_file rw_fifo_file_perms; -allow sendmail_t self:unix_stream_socket create_stream_socket_perms; -allow sendmail_t self:unix_dgram_socket create_socket_perms; -allow sendmail_t self:tcp_socket create_stream_socket_perms; -allow sendmail_t self:udp_socket create_socket_perms; - -allow sendmail_t sendmail_log_t:dir setattr; -manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) - -manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) - -allow sendmail_t sendmail_var_run_t:file manage_file_perms; -files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) - -kernel_read_network_state(sendmail_t) -kernel_read_kernel_sysctls(sendmail_t) -# for piping mail to a command -kernel_read_system_state(sendmail_t) - -corenet_all_recvfrom_unlabeled(sendmail_t) -corenet_all_recvfrom_netlabel(sendmail_t) -corenet_tcp_sendrecv_generic_if(sendmail_t) -corenet_tcp_sendrecv_generic_node(sendmail_t) -corenet_tcp_sendrecv_all_ports(sendmail_t) -corenet_tcp_bind_generic_node(sendmail_t) -corenet_tcp_bind_smtp_port(sendmail_t) -corenet_tcp_connect_all_ports(sendmail_t) -corenet_sendrecv_smtp_server_packets(sendmail_t) -corenet_sendrecv_smtp_client_packets(sendmail_t) - -dev_read_urand(sendmail_t) -dev_read_sysfs(sendmail_t) - -fs_getattr_all_fs(sendmail_t) -fs_search_auto_mountpoints(sendmail_t) -fs_rw_anon_inodefs_files(sendmail_t) - -term_dontaudit_use_console(sendmail_t) -term_dontaudit_use_generic_ptys(sendmail_t) - -# for piping mail to a command -corecmd_exec_shell(sendmail_t) -corecmd_exec_bin(sendmail_t) - -domain_use_interactive_fds(sendmail_t) - -files_read_etc_files(sendmail_t) -files_read_usr_files(sendmail_t) -files_search_spool(sendmail_t) -# for piping mail to a command -files_read_etc_runtime_files(sendmail_t) - -init_use_fds(sendmail_t) -init_use_script_ptys(sendmail_t) -# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console -init_read_utmp(sendmail_t) -init_dontaudit_write_utmp(sendmail_t) - -auth_use_nsswitch(sendmail_t) - -# Read /usr/lib/sasl2/.* -libs_read_lib_files(sendmail_t) - -logging_send_syslog_msg(sendmail_t) -logging_dontaudit_write_generic_logs(sendmail_t) - -miscfiles_read_generic_certs(sendmail_t) -miscfiles_read_localization(sendmail_t) - -userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -userdom_dontaudit_search_user_home_dirs(sendmail_t) - -mta_read_config(sendmail_t) -mta_etc_filetrans_aliases(sendmail_t) -# Write to /etc/aliases and /etc/mail. -mta_manage_aliases(sendmail_t) -# Write to /var/spool/mail and /var/spool/mqueue. -mta_manage_queue(sendmail_t) -mta_manage_spool(sendmail_t) -mta_sendmail_exec(sendmail_t) - -optional_policy(` - cron_read_pipes(sendmail_t) -') - -optional_policy(` - clamav_search_lib(sendmail_t) - clamav_stream_connect(sendmail_t) -') - -optional_policy(` - cyrus_stream_connect(sendmail_t) -') - -optional_policy(` - exim_domtrans(sendmail_t) -') - -optional_policy(` - fail2ban_read_lib_files(sendmail_t) - fail2ban_rw_stream_sockets(sendmail_t) -') - -optional_policy(` - kerberos_keytab_template(sendmail, sendmail_t) -') - -optional_policy(` - milter_stream_connect_all(sendmail_t) -') - -optional_policy(` - munin_dontaudit_search_lib(sendmail_t) -') - -optional_policy(` - postfix_domtrans_master(sendmail_t) - postfix_read_config(sendmail_t) - postfix_search_spool(sendmail_t) -') - -optional_policy(` - procmail_domtrans(sendmail_t) - procmail_rw_tmp_files(sendmail_t) -') - -optional_policy(` - seutil_sigchld_newrole(sendmail_t) -') - -optional_policy(` - sasl_connect(sendmail_t) -') - -optional_policy(` - udev_read_db(sendmail_t) -') - -optional_policy(` - uucp_domtrans_uux(sendmail_t) -') - -######################################## -# -# Unconfined sendmail local policy -# Allow unconfined domain to run newalias and have transitions work -# - -optional_policy(` - mta_etc_filetrans_aliases(unconfined_sendmail_t) - unconfined_domain(unconfined_sendmail_t) -') diff --git a/policy/modules/services/setroubleshoot.fc b/policy/modules/services/setroubleshoot.fc deleted file mode 100644 index 397a5225b..000000000 --- a/policy/modules/services/setroubleshoot.fc +++ /dev/null @@ -1,9 +0,0 @@ -/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) - -/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) - -/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) - -/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) - -/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if deleted file mode 100644 index bcdd16c77..000000000 --- a/policy/modules/services/setroubleshoot.if +++ /dev/null @@ -1,135 +0,0 @@ -## SELinux troubleshooting service - -######################################## -## -## Connect to setroubleshootd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`setroubleshoot_stream_connect',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) - allow $1 setroubleshoot_var_run_t:sock_file read; -') - -######################################## -## -## Dontaudit attempts to connect to setroubleshootd -## over an unix stream socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`setroubleshoot_dontaudit_stream_connect',` - gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; - ') - - dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; - dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; -') - -######################################## -## -## Send and receive messages from -## setroubleshoot over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`setroubleshoot_dbus_chat',` - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - allow $1 setroubleshootd_t:dbus send_msg; - allow setroubleshootd_t $1:dbus send_msg; -') - -######################################## -## -## Do not audit send and receive messages from -## setroubleshoot over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`setroubleshoot_dontaudit_dbus_chat',` - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - dontaudit $1 setroubleshootd_t:dbus send_msg; - dontaudit setroubleshootd_t $1:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## setroubleshoot fixit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`setroubleshoot_dbus_chat_fixit',` - gen_require(` - type setroubleshoot_fixit_t; - class dbus send_msg; - ') - - allow $1 setroubleshoot_fixit_t:dbus send_msg; - allow setroubleshoot_fixit_t $1:dbus send_msg; -') - -######################################## -## -## All of the rules required to administrate -## an setroubleshoot environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`setroubleshoot_admin',` - gen_require(` - type setroubleshootd_t, setroubleshoot_log_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; - ') - - allow $1 setroubleshootd_t:process { ptrace signal_perms }; - ps_process_pattern($1, setroubleshootd_t) - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_log_t) - - files_list_var_lib($1) - admin_pattern($1, setroubleshoot_var_lib_t) - - files_list_pids($1) - admin_pattern($1, setroubleshoot_var_run_t) -') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te deleted file mode 100644 index 086cd5fe0..000000000 --- a/policy/modules/services/setroubleshoot.te +++ /dev/null @@ -1,177 +0,0 @@ -policy_module(setroubleshoot, 1.11.0) - -######################################## -# -# Declarations -# - -type setroubleshootd_t alias setroubleshoot_t; -type setroubleshootd_exec_t; -domain_type(setroubleshootd_t) -init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) - -type setroubleshoot_fixit_t; -type setroubleshoot_fixit_exec_t; -dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) - -type setroubleshoot_var_lib_t; -files_type(setroubleshoot_var_lib_t) - -# log files -type setroubleshoot_var_log_t; -logging_log_file(setroubleshoot_var_log_t) - -# pid files -type setroubleshoot_var_run_t; -files_pid_file(setroubleshoot_var_run_t) - -######################################## -# -# setroubleshootd local policy -# - -allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; -allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; -allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; -allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; - -# database files -allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) -files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) - -# log files -allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) - -# pid file -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(setroubleshootd_t) -kernel_read_system_state(setroubleshootd_t) -kernel_read_net_sysctls(setroubleshootd_t) -kernel_read_network_state(setroubleshootd_t) - -corecmd_exec_bin(setroubleshootd_t) -corecmd_exec_shell(setroubleshootd_t) - -corenet_all_recvfrom_unlabeled(setroubleshootd_t) -corenet_all_recvfrom_netlabel(setroubleshootd_t) -corenet_tcp_sendrecv_generic_if(setroubleshootd_t) -corenet_tcp_sendrecv_generic_node(setroubleshootd_t) -corenet_tcp_sendrecv_all_ports(setroubleshootd_t) -corenet_tcp_bind_generic_node(setroubleshootd_t) -corenet_tcp_connect_smtp_port(setroubleshootd_t) -corenet_sendrecv_smtp_client_packets(setroubleshootd_t) - -dev_read_urand(setroubleshootd_t) -dev_read_sysfs(setroubleshootd_t) -dev_getattr_all_blk_files(setroubleshootd_t) -dev_getattr_all_chr_files(setroubleshootd_t) - -domain_dontaudit_search_all_domains_state(setroubleshootd_t) -domain_signull_all_domains(setroubleshootd_t) - -files_read_usr_files(setroubleshootd_t) -files_read_etc_files(setroubleshootd_t) -files_list_all(setroubleshootd_t) -files_getattr_all_files(setroubleshootd_t) -files_getattr_all_pipes(setroubleshootd_t) -files_getattr_all_sockets(setroubleshootd_t) -files_read_all_symlinks(setroubleshootd_t) - -fs_getattr_all_dirs(setroubleshootd_t) -fs_getattr_all_files(setroubleshootd_t) -fs_read_fusefs_symlinks(setroubleshootd_t) -fs_list_inotifyfs(setroubleshootd_t) -fs_dontaudit_read_nfs_files(setroubleshootd_t) -fs_dontaudit_read_cifs_files(setroubleshootd_t) - -selinux_get_enforce_mode(setroubleshootd_t) -selinux_validate_context(setroubleshootd_t) - -term_dontaudit_use_all_ptys(setroubleshootd_t) -term_dontaudit_use_all_ttys(setroubleshootd_t) - -auth_use_nsswitch(setroubleshootd_t) - -init_read_utmp(setroubleshootd_t) -init_dontaudit_write_utmp(setroubleshootd_t) - -miscfiles_read_localization(setroubleshootd_t) - -locallogin_dontaudit_use_fds(setroubleshootd_t) - -logging_send_audit_msgs(setroubleshootd_t) -logging_send_syslog_msg(setroubleshootd_t) -logging_stream_connect_dispatcher(setroubleshootd_t) - -modutils_read_module_config(setroubleshootd_t) - -seutil_read_config(setroubleshootd_t) -seutil_read_file_contexts(setroubleshootd_t) -seutil_read_bin_policy(setroubleshootd_t) - -userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) - -optional_policy(` - dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) -') - -optional_policy(` - rpm_signull(setroubleshootd_t) - rpm_read_db(setroubleshootd_t) - rpm_dontaudit_manage_db(setroubleshootd_t) - rpm_use_script_fds(setroubleshootd_t) -') - -######################################## -# -# setroubleshoot_fixit local policy -# - -allow setroubleshoot_fixit_t self:capability sys_nice; -allow setroubleshoot_fixit_t self:process { setsched getsched }; -allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; -allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; - -allow setroubleshoot_fixit_t setroubleshootd_t:process signull; - -setroubleshoot_dbus_chat(setroubleshoot_fixit_t) -setroubleshoot_stream_connect(setroubleshoot_fixit_t) - -kernel_read_system_state(setroubleshoot_fixit_t) - -corecmd_exec_bin(setroubleshoot_fixit_t) -corecmd_exec_shell(setroubleshoot_fixit_t) - -seutil_domtrans_setfiles(setroubleshoot_fixit_t) - -files_read_usr_files(setroubleshoot_fixit_t) -files_read_etc_files(setroubleshoot_fixit_t) -files_list_tmp(setroubleshoot_fixit_t) - -auth_use_nsswitch(setroubleshoot_fixit_t) - -logging_send_audit_msgs(setroubleshoot_fixit_t) -logging_send_syslog_msg(setroubleshoot_fixit_t) - -miscfiles_read_localization(setroubleshoot_fixit_t) - -optional_policy(` - rpm_signull(setroubleshoot_fixit_t) - rpm_read_db(setroubleshoot_fixit_t) - rpm_dontaudit_manage_db(setroubleshoot_fixit_t) - rpm_use_script_fds(setroubleshoot_fixit_t) -') - -optional_policy(` - policykit_dbus_chat(setroubleshoot_fixit_t) - userdom_read_all_users_state(setroubleshoot_fixit_t) -') diff --git a/policy/modules/services/slrnpull.fc b/policy/modules/services/slrnpull.fc deleted file mode 100644 index 1714ce0ea..000000000 --- a/policy/modules/services/slrnpull.fc +++ /dev/null @@ -1,10 +0,0 @@ -# -# /usr -# - -/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0) - -# -# /var -# -/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0) diff --git a/policy/modules/services/slrnpull.if b/policy/modules/services/slrnpull.if deleted file mode 100644 index d7e8289e9..000000000 --- a/policy/modules/services/slrnpull.if +++ /dev/null @@ -1,42 +0,0 @@ -## Service for downloading news feeds the slrn newsreader. - -######################################## -## -## Allow the domain to search slrnpull spools. -## -## -## -## Domain allowed access. -## -## -# -interface(`slrnpull_search_spool',` - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - allow $1 slrnpull_spool_t:dir search_dir_perms; -') - -######################################## -## -## Allow the domain to create, read, -## write, and delete slrnpull spools. -## -## -## -## Domain allowed access. -## -## -# -interface(`slrnpull_manage_spool',` - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) -') diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te deleted file mode 100644 index e5e72fd9e..000000000 --- a/policy/modules/services/slrnpull.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(slrnpull, 1.4.0) - -######################################## -# -# Declarations -# - -type slrnpull_t; -type slrnpull_exec_t; -init_daemon_domain(slrnpull_t, slrnpull_exec_t) - -type slrnpull_var_run_t; -files_pid_file(slrnpull_var_run_t) - -type slrnpull_spool_t; -files_type(slrnpull_spool_t) - -type slrnpull_log_t; -logging_log_file(slrnpull_log_t) - -######################################## -# -# Local policy -# - -dontaudit slrnpull_t self:capability sys_tty_config; -allow slrnpull_t self:process signal_perms; - -allow slrnpull_t slrnpull_log_t:file manage_file_perms; -logging_log_filetrans(slrnpull_t, slrnpull_log_t, file) - -manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -files_search_spool(slrnpull_t) - -manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t) -files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file) - -kernel_list_proc(slrnpull_t) -kernel_read_kernel_sysctls(slrnpull_t) -kernel_read_proc_symlinks(slrnpull_t) - -dev_read_sysfs(slrnpull_t) - -domain_use_interactive_fds(slrnpull_t) - -files_read_etc_files(slrnpull_t) - -fs_getattr_all_fs(slrnpull_t) -fs_search_auto_mountpoints(slrnpull_t) - -logging_send_syslog_msg(slrnpull_t) - -miscfiles_read_localization(slrnpull_t) - -userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) -userdom_dontaudit_search_user_home_dirs(slrnpull_t) - -optional_policy(` - cron_system_entry(slrnpull_t, slrnpull_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(slrnpull_t) -') - -optional_policy(` - udev_read_db(slrnpull_t) -') diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc deleted file mode 100644 index 268ae3d6d..000000000 --- a/policy/modules/services/smartmon.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) - -# -# /var -# -/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) - diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if deleted file mode 100644 index adea9f922..000000000 --- a/policy/modules/services/smartmon.if +++ /dev/null @@ -1,57 +0,0 @@ -## Smart disk monitoring daemon policy - -####################################### -## -## Allow caller to read smartmon temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smartmon_read_tmp_files',` - gen_require(` - type fsdaemon_tmp_t; - ') - - allow $1 fsdaemon_tmp_t:file read_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an smartmon environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`smartmon_admin',` - gen_require(` - type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; - type fsdaemon_initrc_exec_t; - ') - - allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, fsdaemon_t) - - init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fsdaemon_initrc_exec_t system_r; - allow $2 system_r; - - files_list_tmp($1) - admin_pattern($1, fsdaemon_tmp_t) - - files_list_pids($1) - admin_pattern($1, fsdaemon_var_run_t) -') diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te deleted file mode 100644 index 6b3322b7a..000000000 --- a/policy/modules/services/smartmon.te +++ /dev/null @@ -1,121 +0,0 @@ -policy_module(smartmon, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Enable additional permissions needed to support -## devices on 3ware controllers. -##

-## -gen_tunable(smartmon_3ware, false) - -type fsdaemon_t; -type fsdaemon_exec_t; -init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) - -type fsdaemon_initrc_exec_t; -init_script_file(fsdaemon_initrc_exec_t) - -type fsdaemon_var_run_t; -files_pid_file(fsdaemon_var_run_t) - -type fsdaemon_tmp_t; -files_tmp_file(fsdaemon_tmp_t) - -ifdef(`enable_mls',` - init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) -') - -######################################## -# -# Local policy -# - -allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; -dontaudit fsdaemon_t self:capability sys_tty_config; -allow fsdaemon_t self:process { getcap setcap signal_perms }; -allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -allow fsdaemon_t self:unix_dgram_socket create_socket_perms; -allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; -allow fsdaemon_t self:udp_socket create_socket_perms; -allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms; - -manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) - -manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) -files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) - -kernel_read_kernel_sysctls(fsdaemon_t) -kernel_read_software_raid_state(fsdaemon_t) -kernel_read_system_state(fsdaemon_t) - -corecmd_exec_all_executables(fsdaemon_t) - -corenet_all_recvfrom_unlabeled(fsdaemon_t) -corenet_all_recvfrom_netlabel(fsdaemon_t) -corenet_udp_sendrecv_generic_if(fsdaemon_t) -corenet_udp_sendrecv_generic_node(fsdaemon_t) -corenet_udp_sendrecv_all_ports(fsdaemon_t) - -dev_read_sysfs(fsdaemon_t) -dev_read_urand(fsdaemon_t) - -domain_use_interactive_fds(fsdaemon_t) - -files_exec_etc_files(fsdaemon_t) -files_read_etc_runtime_files(fsdaemon_t) -files_read_usr_files(fsdaemon_t) -# for config -files_read_etc_files(fsdaemon_t) - -fs_getattr_all_fs(fsdaemon_t) -fs_search_auto_mountpoints(fsdaemon_t) - -mls_file_read_all_levels(fsdaemon_t) -#mls_rangetrans_target(fsdaemon_t) - -storage_raw_read_fixed_disk(fsdaemon_t) -storage_raw_write_fixed_disk(fsdaemon_t) -storage_raw_read_removable_device(fsdaemon_t) - -term_dontaudit_search_ptys(fsdaemon_t) - -libs_exec_ld_so(fsdaemon_t) -libs_exec_lib_files(fsdaemon_t) - -logging_send_syslog_msg(fsdaemon_t) - -miscfiles_read_localization(fsdaemon_t) - -seutil_sigchld_newrole(fsdaemon_t) - -sysnet_dns_name_resolve(fsdaemon_t) - -userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -userdom_dontaudit_search_user_home_dirs(fsdaemon_t) - -tunable_policy(`smartmon_3ware',` - allow fsdaemon_t self:process setfscreate; - - storage_create_fixed_disk_dev(fsdaemon_t) - storage_delete_fixed_disk_dev(fsdaemon_t) - storage_dev_filetrans_fixed_disk(fsdaemon_t) - - selinux_validate_context(fsdaemon_t) - - seutil_read_file_contexts(fsdaemon_t) -') - -optional_policy(` - mta_send_mail(fsdaemon_t) -') - -optional_policy(` - udev_read_db(fsdaemon_t) -') diff --git a/policy/modules/services/smokeping.fc b/policy/modules/services/smokeping.fc deleted file mode 100644 index 9ff2d99d2..000000000 --- a/policy/modules/services/smokeping.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) - -/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) - -/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) - -/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) - -/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if deleted file mode 100644 index 82652781b..000000000 --- a/policy/modules/services/smokeping.if +++ /dev/null @@ -1,167 +0,0 @@ -## Smokeping network latency measurement. - -######################################## -## -## Execute a domain transition to run smokeping. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`smokeping_domtrans',` - gen_require(` - type smokeping_t, smokeping_exec_t; - ') - - domtrans_pattern($1, smokeping_exec_t, smokeping_t) -') - -######################################## -## -## Execute smokeping server in the smokeping domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`smokeping_initrc_domtrans',` - gen_require(` - type smokeping_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, smokeping_initrc_exec_t) -') - -######################################## -## -## Read smokeping PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_read_pid_files',` - gen_require(` - type smokeping_var_run_t; - ') - - files_search_pids($1) - allow $1 smokeping_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage smokeping PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_manage_pid_files',` - gen_require(` - type smokeping_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) -') - -######################################## -## -## Get attributes of smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_getattr_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) - files_search_var_lib($1) -') - -######################################## -## -## Read smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_read_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) -') - -######################################## -## -## Manage smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`smokeping_manage_lib_files',` - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## a smokeping environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`smokeping_admin',` - gen_require(` - type smokeping_t, smokeping_initrc_exec_t; - ') - - allow $1 smokeping_t:process { ptrace signal_perms }; - ps_process_pattern($1, smokeping_t) - - smokeping_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 smokeping_initrc_exec_t system_r; - allow $2 system_r; - - smokeping_manage_pid_files($1) - - smokeping_manage_lib_files($1) -') diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te deleted file mode 100644 index 740994ace..000000000 --- a/policy/modules/services/smokeping.te +++ /dev/null @@ -1,77 +0,0 @@ -policy_module(smokeping, 1.1.0) - -######################################## -# -# Declarations -# - -type smokeping_t; -type smokeping_exec_t; -init_daemon_domain(smokeping_t, smokeping_exec_t) - -type smokeping_initrc_exec_t; -init_script_file(smokeping_initrc_exec_t) - -type smokeping_var_run_t; -files_pid_file(smokeping_var_run_t) - -type smokeping_var_lib_t; -files_type(smokeping_var_lib_t) - -######################################## -# -# smokeping local policy -# - -dontaudit smokeping_t self:capability { dac_read_search dac_override }; -allow smokeping_t self:fifo_file rw_fifo_file_perms; -allow smokeping_t self:udp_socket create_socket_perms; -allow smokeping_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) - -manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) -manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) -files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } ) - -corecmd_read_bin_symlinks(smokeping_t) - -dev_read_urand(smokeping_t) - -files_read_etc_files(smokeping_t) -files_read_usr_files(smokeping_t) -files_search_tmp(smokeping_t) - -auth_use_nsswitch(smokeping_t) -auth_dontaudit_read_shadow(smokeping_t) - -logging_send_syslog_msg(smokeping_t) - -miscfiles_read_localization(smokeping_t) - -mta_send_mail(smokeping_t) - -netutils_domtrans_ping(smokeping_t) - -####################################### -# -# local policy for smokeping cgi scripts -# - -optional_policy(` - apache_content_template(smokeping_cgi) - - allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - - getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) - - files_search_tmp(httpd_smokeping_cgi_script_t) - files_search_var_lib(httpd_smokeping_cgi_script_t) - - sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) -') diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc deleted file mode 100644 index 623c8fad8..000000000 --- a/policy/modules/services/snmp.fc +++ /dev/null @@ -1,24 +0,0 @@ -/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) - -# -# /usr -# -/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0) - -/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -# -# /var -# -/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) - -/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if deleted file mode 100644 index 275f9fb5c..000000000 --- a/policy/modules/services/snmp.if +++ /dev/null @@ -1,147 +0,0 @@ -## Simple network management protocol services - -######################################## -## -## Connect to snmpd using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_stream_connect',` - gen_require(` - type snmpd_t, snmpd_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) -') - -######################################## -## -## Use snmp over a TCP connection. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Send and receive UDP traffic to SNMP (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## Read snmpd libraries. -## -## -## -## Domain allowed access. -## -## -# -interface(`snmp_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - allow $1 snmpd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -') - -######################################## -## -## dontaudit Read snmpd libraries. -## -## -## -## Domain to not audit. -## -## -# -interface(`snmp_dontaudit_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; - dontaudit $1 snmpd_var_lib_t:file read_file_perms; - dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; -') - -######################################## -## -## dontaudit write snmpd libraries files. -## -## -## -## Domain to not audit. -## -## -# -interface(`snmp_dontaudit_write_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - dontaudit $1 snmpd_var_lib_t:file write; -') - -######################################## -## -## All of the rules required to administrate -## an snmp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the snmp domain. -## -## -## -# -interface(`snmp_admin',` - gen_require(` - type snmpd_t, snmpd_log_t; - type snmpd_var_lib_t, snmpd_var_run_t; - type snmpd_initrc_exec_t; - ') - - allow $1 snmpd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, snmpd_t) - - init_labeled_script_domtrans($1, snmpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snmpd_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, snmpd_log_t) - - files_list_var_lib($1) - admin_pattern($1, snmpd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, snmpd_var_run_t) -') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te deleted file mode 100644 index eb3c1d006..000000000 --- a/policy/modules/services/snmp.te +++ /dev/null @@ -1,172 +0,0 @@ -policy_module(snmp, 1.12.0) - -######################################## -# -# Declarations -# -type snmpd_t; -type snmpd_exec_t; -init_daemon_domain(snmpd_t, snmpd_exec_t) - -type snmpd_initrc_exec_t; -init_script_file(snmpd_initrc_exec_t) - -type snmpd_log_t; -logging_log_file(snmpd_log_t) - -type snmpd_var_run_t; -files_pid_file(snmpd_var_run_t) - -type snmpd_var_lib_t; -files_type(snmpd_var_lib_t) - -######################################## -# -# Local policy -# -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; -dontaudit snmpd_t self:capability { sys_module sys_tty_config }; -allow snmpd_t self:process { signal_perms getsched setsched }; -allow snmpd_t self:fifo_file rw_fifo_file_perms; -allow snmpd_t self:unix_dgram_socket create_socket_perms; -allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -allow snmpd_t self:tcp_socket create_stream_socket_perms; -allow snmpd_t self:udp_socket connected_stream_socket_perms; - -allow snmpd_t snmpd_log_t:file manage_file_perms; -logging_log_filetrans(snmpd_t, snmpd_log_t, file) - -manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) -files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) -files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) - -manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) - -kernel_read_device_sysctls(snmpd_t) -kernel_read_kernel_sysctls(snmpd_t) -kernel_read_fs_sysctls(snmpd_t) -kernel_read_net_sysctls(snmpd_t) -kernel_read_proc_symlinks(snmpd_t) -kernel_read_system_state(snmpd_t) -kernel_read_network_state(snmpd_t) - -corecmd_exec_bin(snmpd_t) -corecmd_exec_shell(snmpd_t) - -corenet_all_recvfrom_unlabeled(snmpd_t) -corenet_all_recvfrom_netlabel(snmpd_t) -corenet_tcp_sendrecv_generic_if(snmpd_t) -corenet_udp_sendrecv_generic_if(snmpd_t) -corenet_tcp_sendrecv_generic_node(snmpd_t) -corenet_udp_sendrecv_generic_node(snmpd_t) -corenet_tcp_sendrecv_all_ports(snmpd_t) -corenet_udp_sendrecv_all_ports(snmpd_t) -corenet_tcp_bind_generic_node(snmpd_t) -corenet_udp_bind_generic_node(snmpd_t) -corenet_tcp_bind_snmp_port(snmpd_t) -corenet_udp_bind_snmp_port(snmpd_t) -corenet_sendrecv_snmp_server_packets(snmpd_t) -corenet_tcp_connect_agentx_port(snmpd_t) -corenet_tcp_bind_agentx_port(snmpd_t) -corenet_udp_bind_agentx_port(snmpd_t) - -dev_list_sysfs(snmpd_t) -dev_read_sysfs(snmpd_t) -dev_read_urand(snmpd_t) -dev_read_rand(snmpd_t) -dev_getattr_usbfs_dirs(snmpd_t) - -domain_use_interactive_fds(snmpd_t) -domain_signull_all_domains(snmpd_t) -domain_read_all_domains_state(snmpd_t) -domain_dontaudit_ptrace_all_domains(snmpd_t) -domain_exec_all_entry_files(snmpd_t) - -files_read_etc_files(snmpd_t) -files_read_usr_files(snmpd_t) -files_read_etc_runtime_files(snmpd_t) -files_search_home(snmpd_t) - -fs_getattr_all_dirs(snmpd_t) -fs_getattr_all_fs(snmpd_t) -fs_search_auto_mountpoints(snmpd_t) - -storage_dontaudit_read_fixed_disk(snmpd_t) -storage_dontaudit_read_removable_device(snmpd_t) - -auth_use_nsswitch(snmpd_t) -auth_read_all_dirs_except_auth_files(snmpd_t) - -init_read_utmp(snmpd_t) -init_dontaudit_write_utmp(snmpd_t) - -logging_send_syslog_msg(snmpd_t) - -miscfiles_read_localization(snmpd_t) - -seutil_dontaudit_search_config(snmpd_t) - -sysnet_read_config(snmpd_t) - -userdom_dontaudit_use_unpriv_user_fds(snmpd_t) -userdom_dontaudit_search_user_home_dirs(snmpd_t) - -ifdef(`distro_redhat', ` - optional_policy(` - rpm_read_db(snmpd_t) - rpm_dontaudit_manage_db(snmpd_t) - ') -') - -optional_policy(` - amanda_dontaudit_read_dumpdates(snmpd_t) -') - -optional_policy(` - consoletype_exec(snmpd_t) -') - -optional_policy(` - cups_read_rw_config(snmpd_t) -') - -optional_policy(` - mta_read_config(snmpd_t) - mta_search_queue(snmpd_t) -') - -optional_policy(` - rpc_search_nfs_state_data(snmpd_t) -') - -optional_policy(` - sendmail_read_log(snmpd_t) -') - -optional_policy(` - seutil_sigchld_newrole(snmpd_t) -') - -optional_policy(` - squid_read_config(snmpd_t) -') - -optional_policy(` - udev_read_db(snmpd_t) -') - -optional_policy(` - virt_stream_connect(snmpd_t) -') - -optional_policy(` - kernel_read_xen_state(snmpd_t) - kernel_write_xen_state(snmpd_t) - - xen_stream_connect(snmpd_t) - xen_stream_connect_xenstore(snmpd_t) -') diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc deleted file mode 100644 index 7bedd2f8f..000000000 --- a/policy/modules/services/snort.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0) -/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) - -/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) -/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) - -/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) - -/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if deleted file mode 100644 index c117e8b55..000000000 --- a/policy/modules/services/snort.if +++ /dev/null @@ -1,60 +0,0 @@ -## Snort network intrusion detection system - -######################################## -## -## Execute a domain transition to run snort. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`snort_domtrans',` - gen_require(` - type snort_t, snort_exec_t; - ') - - domtrans_pattern($1, snort_exec_t, snort_t) -') - -######################################## -## -## All of the rules required to administrate -## an snort environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the snort domain. -## -## -## -# -interface(`snort_admin',` - gen_require(` - type snort_t, snort_var_run_t, snort_log_t; - type snort_etc_t, snort_initrc_exec_t; - ') - - allow $1 snort_t:process { ptrace signal_perms }; - ps_process_pattern($1, snort_t) - - init_labeled_script_domtrans($1, snort_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 snort_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, snort_etc_t) - files_search_etc($1) - - admin_pattern($1, snort_log_t) - logging_search_logs($1) - - admin_pattern($1, snort_var_run_t) - files_search_pids($1) -') diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te deleted file mode 100644 index 179bc1b0b..000000000 --- a/policy/modules/services/snort.te +++ /dev/null @@ -1,117 +0,0 @@ -policy_module(snort, 1.10.0) - -######################################## -# -# Declarations -# - -type snort_t; -type snort_exec_t; -init_daemon_domain(snort_t, snort_exec_t) - -type snort_etc_t; -files_config_file(snort_etc_t) - -type snort_initrc_exec_t; -init_script_file(snort_initrc_exec_t) - -type snort_log_t; -logging_log_file(snort_log_t) - -type snort_tmp_t; -files_tmp_file(snort_tmp_t) - -type snort_var_run_t; -files_pid_file(snort_var_run_t) - -######################################## -# -# Local policy -# - -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; -dontaudit snort_t self:capability sys_tty_config; -allow snort_t self:process signal_perms; -allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow snort_t self:tcp_socket create_stream_socket_perms; -allow snort_t self:udp_socket create_socket_perms; -allow snort_t self:packet_socket create_socket_perms; -allow snort_t self:socket create_socket_perms; -# Snort IPS node. unverified. -allow snort_t self:netlink_firewall_socket { bind create getattr }; - -allow snort_t snort_etc_t:dir list_dir_perms; -allow snort_t snort_etc_t:file read_file_perms; -allow snort_t snort_etc_t:lnk_file { getattr read }; - -manage_files_pattern(snort_t, snort_log_t, snort_log_t) -create_dirs_pattern(snort_t, snort_log_t, snort_log_t) -logging_log_filetrans(snort_t, snort_log_t, { file dir }) - -manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) -manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t) -files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) - -manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t) -files_pid_filetrans(snort_t, snort_var_run_t, file) - -kernel_read_kernel_sysctls(snort_t) -kernel_read_sysctl(snort_t) -kernel_list_proc(snort_t) -kernel_read_proc_symlinks(snort_t) -kernel_request_load_module(snort_t) -kernel_dontaudit_read_system_state(snort_t) -kernel_read_network_state(snort_t) - -corenet_all_recvfrom_unlabeled(snort_t) -corenet_all_recvfrom_netlabel(snort_t) -corenet_tcp_sendrecv_generic_if(snort_t) -corenet_udp_sendrecv_generic_if(snort_t) -corenet_raw_sendrecv_generic_if(snort_t) -corenet_tcp_sendrecv_generic_node(snort_t) -corenet_udp_sendrecv_generic_node(snort_t) -corenet_raw_sendrecv_generic_node(snort_t) -corenet_tcp_sendrecv_all_ports(snort_t) -corenet_udp_sendrecv_all_ports(snort_t) -corenet_tcp_connect_prelude_port(snort_t) - -dev_read_sysfs(snort_t) -dev_read_rand(snort_t) -dev_read_urand(snort_t) -dev_read_usbmon_dev(snort_t) -# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon -# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? -dev_rw_generic_usb_dev(snort_t) - -domain_use_interactive_fds(snort_t) - -files_read_etc_files(snort_t) -files_dontaudit_read_etc_runtime_files(snort_t) - -fs_getattr_all_fs(snort_t) -fs_search_auto_mountpoints(snort_t) - -init_read_utmp(snort_t) - -logging_send_syslog_msg(snort_t) - -miscfiles_read_localization(snort_t) - -sysnet_read_config(snort_t) -# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager -sysnet_dns_name_resolve(snort_t) - -userdom_dontaudit_use_unpriv_user_fds(snort_t) -userdom_dontaudit_search_user_home_dirs(snort_t) - -optional_policy(` - prelude_manage_spool(snort_t) -') - -optional_policy(` - seutil_sigchld_newrole(snort_t) -') - -optional_policy(` - udev_read_db(snort_t) -') diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc deleted file mode 100644 index d89b2cb61..000000000 --- a/policy/modules/services/soundserver.fc +++ /dev/null @@ -1,13 +0,0 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) -/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) -/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) - -/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) -/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) - -/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) - -/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) -/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) - -/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if deleted file mode 100644 index 93fe7bf80..000000000 --- a/policy/modules/services/soundserver.if +++ /dev/null @@ -1,57 +0,0 @@ -## sound server for network audio server programs, nasd, yiff, etc - -######################################## -## -## Connect to the sound server over a TCP socket (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`soundserver_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an soundd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the soundd domain. -## -## -## -# -interface(`soundserver_admin',` - gen_require(` - type soundd_t, soundd_etc_t; - type soundd_tmp_t, soundd_var_run_t; - type soundd_initrc_exec_t; - ') - - allow $1 soundd_t:process { ptrace signal_perms }; - ps_process_pattern($1, soundd_t) - - init_labeled_script_domtrans($1, soundd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 soundd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, soundd_etc_t) - - files_list_tmp($1) - admin_pattern($1, soundd_tmp_t) - - files_list_pids($1) - admin_pattern($1, soundd_var_run_t) -') diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te deleted file mode 100644 index 3217605d4..000000000 --- a/policy/modules/services/soundserver.te +++ /dev/null @@ -1,114 +0,0 @@ -policy_module(soundserver, 1.8.0) - -######################################## -# -# Declarations -# - -type soundd_t; -type soundd_exec_t; -init_daemon_domain(soundd_t, soundd_exec_t) - -type soundd_etc_t alias etc_soundd_t; -files_config_file(soundd_etc_t) - -type soundd_initrc_exec_t; -init_script_file(soundd_initrc_exec_t) - -type soundd_state_t; -files_type(soundd_state_t) - -type soundd_tmp_t; -files_tmp_file(soundd_tmp_t) - -# for yiff - probably need some rules for the client support too -type soundd_tmpfs_t; -files_tmpfs_file(soundd_tmpfs_t) - -type soundd_var_run_t; -files_pid_file(soundd_var_run_t) - -######################################## -# -# Declarations -# - -allow soundd_t self:capability dac_override; -dontaudit soundd_t self:capability sys_tty_config; -allow soundd_t self:process { setpgid signal_perms }; -allow soundd_t self:tcp_socket create_stream_socket_perms; -allow soundd_t self:udp_socket create_socket_perms; -allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; - -# for yiff -allow soundd_t self:shm create_shm_perms; - -read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) -read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) - -manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) -manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) - -manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) -manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t) -files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir }) - -manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) -fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) - -kernel_read_kernel_sysctls(soundd_t) -kernel_list_proc(soundd_t) -kernel_read_proc_symlinks(soundd_t) - -corenet_all_recvfrom_unlabeled(soundd_t) -corenet_all_recvfrom_netlabel(soundd_t) -corenet_tcp_sendrecv_generic_if(soundd_t) -corenet_udp_sendrecv_generic_if(soundd_t) -corenet_tcp_sendrecv_generic_node(soundd_t) -corenet_udp_sendrecv_generic_node(soundd_t) -corenet_tcp_sendrecv_all_ports(soundd_t) -corenet_udp_sendrecv_all_ports(soundd_t) -corenet_tcp_bind_generic_node(soundd_t) -corenet_tcp_bind_soundd_port(soundd_t) -corenet_sendrecv_soundd_server_packets(soundd_t) - -dev_read_sysfs(soundd_t) -dev_read_sound(soundd_t) -dev_write_sound(soundd_t) - -domain_use_interactive_fds(soundd_t) - -files_read_etc_files(soundd_t) -files_read_etc_runtime_files(soundd_t) - -fs_getattr_all_fs(soundd_t) -fs_search_auto_mountpoints(soundd_t) - -logging_send_syslog_msg(soundd_t) - -miscfiles_read_localization(soundd_t) - -sysnet_read_config(soundd_t) - -userdom_dontaudit_use_unpriv_user_fds(soundd_t) -userdom_dontaudit_search_user_home_dirs(soundd_t) - -optional_policy(` - alsa_domtrans(soundd_t) -') - -optional_policy(` - seutil_sigchld_newrole(soundd_t) -') - -optional_policy(` - udev_read_db(soundd_t) -') diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc deleted file mode 100644 index 6b3abf9e0..000000000 --- a/policy/modules/services/spamassassin.fc +++ /dev/null @@ -1,15 +0,0 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) - -/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) -/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) - -/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) - -/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) - -/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - -/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if deleted file mode 100644 index c954f3191..000000000 --- a/policy/modules/services/spamassassin.if +++ /dev/null @@ -1,227 +0,0 @@ -## Filter used for removing unsolicited email. - -######################################## -## -## Role access for spamassassin -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`spamassassin_role',` - gen_require(` - type spamc_t, spamc_exec_t, spamc_tmp_t; - type spamassassin_t, spamassassin_exec_t; - type spamassassin_home_t, spamassassin_tmp_t; - ') - - role $1 types { spamc_t spamassassin_t }; - - domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) - ps_process_pattern($2, spamassassin_t) - - domtrans_pattern($2, spamc_exec_t, spamc_t) - ps_process_pattern($2, spamc_t) - - manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) - manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) -') - -######################################## -## -## Execute the standalone spamassassin -## program in the caller directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_exec',` - gen_require(` - type spamassassin_exec_t; - ') - - can_exec($1, spamassassin_exec_t) - -') - -######################################## -## -## Singnal the spam assassin daemon -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_signal_spamd',` - gen_require(` - type spamd_t; - ') - - allow $1 spamd_t:process signal; -') - -######################################## -## -## Execute the spamassassin daemon -## program in the caller directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_exec_spamd',` - gen_require(` - type spamd_exec_t; - ') - - can_exec($1, spamd_exec_t) -') - -######################################## -## -## Execute spamassassin client in the spamassassin client domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`spamassassin_domtrans_client',` - gen_require(` - type spamc_t, spamc_exec_t; - ') - - domtrans_pattern($1, spamc_exec_t, spamc_t) -') - -######################################## -## -## Execute the spamassassin client -## program in the caller directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_exec_client',` - gen_require(` - type spamc_exec_t; - ') - - can_exec($1, spamc_exec_t) -') - -######################################## -## -## Execute spamassassin standalone client in the user spamassassin domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`spamassassin_domtrans_local_client',` - gen_require(` - type spamassassin_t, spamassassin_exec_t; - ') - - domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) -') - -######################################## -## -## read spamd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_read_lib_files',` - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## spamd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_manage_lib_files',` - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -') - -######################################## -## -## Read temporary spamd file. -## -## -## -## Domain allowed access. -## -## -# -interface(`spamassassin_read_spamd_tmp_files',` - gen_require(` - type spamd_tmp_t; - ') - - allow $1 spamd_tmp_t:file read_file_perms; -') - -######################################## -## -## Do not audit attempts to get attributes of temporary -## spamd sockets/ -## -## -## -## Domain to not audit. -## -## -# -interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` - gen_require(` - type spamd_tmp_t; - ') - - dontaudit $1 spamd_tmp_t:sock_file getattr; -') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te deleted file mode 100644 index ec1eb1e7c..000000000 --- a/policy/modules/services/spamassassin.te +++ /dev/null @@ -1,453 +0,0 @@ -policy_module(spamassassin, 2.4.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow user spamassassin clients to use the network. -##

-## -gen_tunable(spamassassin_can_network, false) - -## -##

-## Allow spamd to read/write user home directories. -##

-## -gen_tunable(spamd_enable_home_dirs, true) - -type spamassassin_t; -type spamassassin_exec_t; -typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; -application_domain(spamassassin_t, spamassassin_exec_t) -ubac_constrained(spamassassin_t) - -type spamassassin_home_t; -typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -userdom_user_home_content(spamassassin_home_t) - -type spamassassin_tmp_t; -typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -files_tmp_file(spamassassin_tmp_t) -ubac_constrained(spamassassin_tmp_t) - -type spamc_t; -type spamc_exec_t; -typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; -typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; -application_domain(spamc_t, spamc_exec_t) -ubac_constrained(spamc_t) - -type spamc_tmp_t; -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -files_tmp_file(spamc_tmp_t) -ubac_constrained(spamc_tmp_t) - -type spamd_t; -type spamd_exec_t; -init_daemon_domain(spamd_t, spamd_exec_t) - -type spamd_spool_t; -files_type(spamd_spool_t) - -type spamd_tmp_t; -files_tmp_file(spamd_tmp_t) - -# var/lib files -type spamd_var_lib_t; -files_type(spamd_var_lib_t) - -type spamd_var_run_t; -files_pid_file(spamd_var_run_t) - -############################## -# -# Standalone program local policy -# - -allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamassassin_t self:fd use; -allow spamassassin_t self:fifo_file rw_fifo_file_perms; -allow spamassassin_t self:sock_file read_sock_file_perms; -allow spamassassin_t self:unix_dgram_socket create_socket_perms; -allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; -allow spamassassin_t self:unix_dgram_socket sendto; -allow spamassassin_t self:unix_stream_socket connectto; -allow spamassassin_t self:shm create_shm_perms; -allow spamassassin_t self:sem create_sem_perms; -allow spamassassin_t self:msgq create_msgq_perms; -allow spamassassin_t self:msg { send receive }; - -manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - -manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) -manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) -files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) - -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(spamassassin_t) - -dev_read_urand(spamassassin_t) - -fs_search_auto_mountpoints(spamassassin_t) - -# this should probably be removed -corecmd_list_bin(spamassassin_t) -corecmd_read_bin_symlinks(spamassassin_t) -corecmd_read_bin_files(spamassassin_t) -corecmd_read_bin_pipes(spamassassin_t) -corecmd_read_bin_sockets(spamassassin_t) - -domain_use_interactive_fds(spamassassin_t) - -files_read_etc_files(spamassassin_t) -files_read_etc_runtime_files(spamassassin_t) -files_list_home(spamassassin_t) -files_read_usr_files(spamassassin_t) -files_dontaudit_search_var(spamassassin_t) - -logging_send_syslog_msg(spamassassin_t) - -miscfiles_read_localization(spamassassin_t) - -# cjp: this could probably be removed -seutil_read_config(spamassassin_t) - -sysnet_dns_name_resolve(spamassassin_t) - -# set tunable if you have spamassassin do DNS lookups -tunable_policy(`spamassassin_can_network',` - allow spamassassin_t self:tcp_socket create_stream_socket_perms; - allow spamassassin_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(spamassassin_t) - corenet_all_recvfrom_netlabel(spamassassin_t) - corenet_tcp_sendrecv_generic_if(spamassassin_t) - corenet_udp_sendrecv_generic_if(spamassassin_t) - corenet_tcp_sendrecv_generic_node(spamassassin_t) - corenet_udp_sendrecv_generic_node(spamassassin_t) - corenet_tcp_sendrecv_all_ports(spamassassin_t) - corenet_udp_sendrecv_all_ports(spamassassin_t) - corenet_tcp_connect_all_ports(spamassassin_t) - corenet_sendrecv_all_client_packets(spamassassin_t) - - sysnet_read_config(spamassassin_t) -') - -tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_user_home_content_dirs(spamd_t) - userdom_manage_user_home_content_files(spamd_t) - userdom_manage_user_home_content_symlinks(spamd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamassassin_t) - fs_manage_nfs_files(spamassassin_t) - fs_manage_nfs_symlinks(spamassassin_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamassassin_t) - fs_manage_cifs_files(spamassassin_t) - fs_manage_cifs_symlinks(spamassassin_t) -') - -optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) -') - -optional_policy(` - tunable_policy(`spamassassin_can_network && allow_ypbind',` - nis_use_ypbind_uncond(spamassassin_t) - ') -') - -optional_policy(` - mta_read_config(spamassassin_t) - sendmail_stub(spamassassin_t) -') - -######################################## -# -# Client local policy -# - -allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamc_t self:fd use; -allow spamc_t self:fifo_file rw_fifo_file_perms; -allow spamc_t self:sock_file read_sock_file_perms; -allow spamc_t self:shm create_shm_perms; -allow spamc_t self:sem create_sem_perms; -allow spamc_t self:msgq create_msgq_perms; -allow spamc_t self:msg { send receive }; -allow spamc_t self:unix_dgram_socket create_socket_perms; -allow spamc_t self:unix_stream_socket create_stream_socket_perms; -allow spamc_t self:unix_dgram_socket sendto; -allow spamc_t self:unix_stream_socket connectto; -allow spamc_t self:tcp_socket create_stream_socket_perms; -allow spamc_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) - -# Allow connecting to a local spamd -allow spamc_t spamd_t:unix_stream_socket connectto; -allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; - -kernel_read_kernel_sysctls(spamc_t) - -corenet_all_recvfrom_unlabeled(spamc_t) -corenet_all_recvfrom_netlabel(spamc_t) -corenet_tcp_sendrecv_generic_if(spamc_t) -corenet_udp_sendrecv_generic_if(spamc_t) -corenet_tcp_sendrecv_generic_node(spamc_t) -corenet_udp_sendrecv_generic_node(spamc_t) -corenet_tcp_sendrecv_all_ports(spamc_t) -corenet_udp_sendrecv_all_ports(spamc_t) -corenet_tcp_connect_all_ports(spamc_t) -corenet_sendrecv_all_client_packets(spamc_t) - -fs_search_auto_mountpoints(spamc_t) - -# cjp: these should probably be removed: -corecmd_list_bin(spamc_t) -corecmd_read_bin_symlinks(spamc_t) -corecmd_read_bin_files(spamc_t) -corecmd_read_bin_pipes(spamc_t) -corecmd_read_bin_sockets(spamc_t) - -domain_use_interactive_fds(spamc_t) - -files_read_etc_files(spamc_t) -files_read_etc_runtime_files(spamc_t) -files_read_usr_files(spamc_t) -files_dontaudit_search_var(spamc_t) -# cjp: this may be removable: -files_list_home(spamc_t) - -logging_send_syslog_msg(spamc_t) - -miscfiles_read_localization(spamc_t) - -# cjp: this should probably be removed: -seutil_read_config(spamc_t) - -sysnet_read_config(spamc_t) - -optional_policy(` - # Allow connection to spamd socket above - evolution_stream_connect(spamc_t) -') - -optional_policy(` - # Needed for pyzor/razor called from spamd - milter_manage_spamass_state(spamc_t) -') - -optional_policy(` - nis_use_ypbind(spamc_t) -') - -optional_policy(` - nscd_socket_use(spamc_t) -') - -optional_policy(` - mta_read_config(spamc_t) - sendmail_stub(spamc_t) -') - -######################################## -# -# Server local policy -# - -# Spamassassin, when run as root and using per-user config files, -# setuids to the user running spamc. Comment this if you are not -# using this ability. - -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; -dontaudit spamd_t self:capability sys_tty_config; -allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow spamd_t self:fd use; -allow spamd_t self:fifo_file rw_fifo_file_perms; -allow spamd_t self:sock_file read_sock_file_perms; -allow spamd_t self:shm create_shm_perms; -allow spamd_t self:sem create_sem_perms; -allow spamd_t self:msgq create_msgq_perms; -allow spamd_t self:msg { send receive }; -allow spamd_t self:unix_dgram_socket create_socket_perms; -allow spamd_t self:unix_stream_socket create_stream_socket_perms; -allow spamd_t self:unix_dgram_socket sendto; -allow spamd_t self:unix_stream_socket connectto; -allow spamd_t self:tcp_socket create_stream_socket_perms; -allow spamd_t self:udp_socket create_socket_perms; -allow spamd_t self:netlink_route_socket r_netlink_socket_perms; - -manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) - -manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) - -# var/lib files for spamd -allow spamd_t spamd_var_lib_t:dir list_dir_perms; -read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - -manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) - -kernel_read_all_sysctls(spamd_t) -kernel_read_system_state(spamd_t) - -corenet_all_recvfrom_unlabeled(spamd_t) -corenet_all_recvfrom_netlabel(spamd_t) -corenet_tcp_sendrecv_generic_if(spamd_t) -corenet_udp_sendrecv_generic_if(spamd_t) -corenet_tcp_sendrecv_generic_node(spamd_t) -corenet_udp_sendrecv_generic_node(spamd_t) -corenet_tcp_sendrecv_all_ports(spamd_t) -corenet_udp_sendrecv_all_ports(spamd_t) -corenet_tcp_bind_generic_node(spamd_t) -corenet_tcp_bind_spamd_port(spamd_t) -corenet_tcp_connect_razor_port(spamd_t) -corenet_tcp_connect_smtp_port(spamd_t) -corenet_sendrecv_razor_client_packets(spamd_t) -corenet_sendrecv_spamd_server_packets(spamd_t) -# spamassassin 3.1 needs this for its -# DnsResolver.pm module which binds to -# random ports >= 1024. -corenet_udp_bind_generic_node(spamd_t) -corenet_udp_bind_generic_port(spamd_t) -corenet_udp_bind_imaze_port(spamd_t) -corenet_dontaudit_udp_bind_all_ports(spamd_t) -corenet_sendrecv_imaze_server_packets(spamd_t) -corenet_sendrecv_generic_server_packets(spamd_t) - -dev_read_sysfs(spamd_t) -dev_read_urand(spamd_t) - -fs_getattr_all_fs(spamd_t) -fs_search_auto_mountpoints(spamd_t) - -auth_dontaudit_read_shadow(spamd_t) - -corecmd_exec_bin(spamd_t) - -domain_use_interactive_fds(spamd_t) - -files_read_usr_files(spamd_t) -files_read_etc_files(spamd_t) -files_read_etc_runtime_files(spamd_t) -# /var/lib/spamassin -files_read_var_lib_files(spamd_t) - -init_dontaudit_rw_utmp(spamd_t) - -logging_send_syslog_msg(spamd_t) - -miscfiles_read_localization(spamd_t) - -sysnet_read_config(spamd_t) -sysnet_use_ldap(spamd_t) -sysnet_dns_name_resolve(spamd_t) - -userdom_use_unpriv_users_fds(spamd_t) -userdom_search_user_home_dirs(spamd_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(spamd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(spamd_t) -') - -optional_policy(` - amavis_manage_lib_files(spamd_t) -') - -optional_policy(` - cron_system_entry(spamd_t, spamd_exec_t) -') - -optional_policy(` - daemontools_service_domain(spamd_t, spamd_exec_t) -') - -optional_policy(` - dcc_domtrans_client(spamd_t) - dcc_stream_connect_dccifd(spamd_t) -') - -optional_policy(` - milter_manage_spamass_state(spamd_t) -') - -optional_policy(` - corenet_tcp_connect_mysqld_port(spamd_t) - corenet_sendrecv_mysqld_client_packets(spamd_t) - - mysql_search_db(spamd_t) - mysql_stream_connect(spamd_t) -') - -optional_policy(` - nis_use_ypbind(spamd_t) -') - -optional_policy(` - postfix_read_config(spamd_t) -') - -optional_policy(` - corenet_tcp_connect_postgresql_port(spamd_t) - corenet_sendrecv_postgresql_client_packets(spamd_t) - - postgresql_stream_connect(spamd_t) -') - -optional_policy(` - pyzor_domtrans(spamd_t) - pyzor_signal(spamd_t) -') - -optional_policy(` - razor_domtrans(spamd_t) -') - -optional_policy(` - seutil_sigchld_newrole(spamd_t) -') - -optional_policy(` - sendmail_stub(spamd_t) - mta_read_config(spamd_t) -') - -optional_policy(` - udev_read_db(spamd_t) -') diff --git a/policy/modules/services/speedtouch.fc b/policy/modules/services/speedtouch.fc deleted file mode 100644 index 9760d154f..000000000 --- a/policy/modules/services/speedtouch.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0) - diff --git a/policy/modules/services/speedtouch.if b/policy/modules/services/speedtouch.if deleted file mode 100644 index 826e2db0b..000000000 --- a/policy/modules/services/speedtouch.if +++ /dev/null @@ -1 +0,0 @@ -## Alcatel speedtouch USB ADSL modem diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te deleted file mode 100644 index ade10f5ec..000000000 --- a/policy/modules/services/speedtouch.te +++ /dev/null @@ -1,61 +0,0 @@ -policy_module(speedtouch, 1.4.0) - -####################################### -# -# Rules for the speedmgmt_t domain. -# - -type speedmgmt_t; -type speedmgmt_exec_t; -init_daemon_domain(speedmgmt_t, speedmgmt_exec_t) - -type speedmgmt_tmp_t; -files_tmp_file(speedmgmt_tmp_t) - -type speedmgmt_var_run_t; -files_pid_file(speedmgmt_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit speedmgmt_t self:capability sys_tty_config; -allow speedmgmt_t self:process signal_perms; - -manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) -manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) -files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir }) - -manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t) -files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file) - -kernel_read_kernel_sysctls(speedmgmt_t) -kernel_list_proc(speedmgmt_t) -kernel_read_proc_symlinks(speedmgmt_t) - -dev_read_sysfs(speedmgmt_t) -dev_read_usbfs(speedmgmt_t) - -domain_use_interactive_fds(speedmgmt_t) - -files_read_etc_files(speedmgmt_t) -files_read_usr_files(speedmgmt_t) - -fs_getattr_all_fs(speedmgmt_t) -fs_search_auto_mountpoints(speedmgmt_t) - -logging_send_syslog_msg(speedmgmt_t) - -miscfiles_read_localization(speedmgmt_t) - -userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) -userdom_dontaudit_search_user_home_dirs(speedmgmt_t) - -optional_policy(` - seutil_sigchld_newrole(speedmgmt_t) -') - -optional_policy(` - udev_read_db(speedmgmt_t) -') diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc deleted file mode 100644 index 6cc4a90a1..000000000 --- a/policy/modules/services/squid.fc +++ /dev/null @@ -1,14 +0,0 @@ -/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) -/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - -/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) -/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if deleted file mode 100644 index d2496bd70..000000000 --- a/policy/modules/services/squid.if +++ /dev/null @@ -1,233 +0,0 @@ -## Squid caching http proxy server - -######################################## -## -## Execute squid in the squid domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`squid_domtrans',` - gen_require(` - type squid_t, squid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, squid_exec_t, squid_t) -') - -######################################## -## -## Execute squid -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_exec',` - gen_require(` - type squid_exec_t; - ') - - can_exec($1, squid_exec_t) -') - -######################################## -## -## Send generic signals to squid. -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_signal',` - gen_require(` - type squid_t; - ') - - allow $1 squid_t:process signal; -') - -######################################## -## -## Allow read and write squid -## unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_rw_stream_sockets',` - gen_require(` - type squid_t; - ') - - allow $1 squid_t:unix_stream_socket { getattr read write }; -') - -######################################## -## -## Do not audit attempts to search squid cache dirs -## -## -## -## Domain to not audit. -## -## -## -# -interface(`squid_dontaudit_search_cache',` - gen_require(` - type squid_cache_t; - ') - - dontaudit $1 squid_cache_t:dir search_dir_perms; -') - -######################################## -## -## Read squid configuration file. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`squid_read_config',` - gen_require(` - type squid_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, squid_conf_t, squid_conf_t) -') - -######################################## -## -## Append squid logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`squid_read_log',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## -## Append squid logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_append_log',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## -## Create, read, write, and delete -## squid logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`squid_manage_logs',` - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, squid_log_t, squid_log_t) -') - -######################################## -## -## Use squid services by connecting over TCP. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# -interface(`squid_use',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## -## All of the rules required to administrate -## an squid environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the squid domain. -## -## -## -# -interface(`squid_admin',` - gen_require(` - type squid_t, squid_cache_t, squid_conf_t; - type squid_log_t, squid_var_run_t; - type squid_initrc_exec_t; - ') - - allow $1 squid_t:process { ptrace signal_perms }; - ps_process_pattern($1, squid_t) - - init_labeled_script_domtrans($1, squid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 squid_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var($1) - admin_pattern($1, squid_cache_t) - - files_list_etc($1) - admin_pattern($1, squid_conf_t) - - logging_list_logs($1) - admin_pattern($1, squid_log_t) - - files_list_pids($1) - admin_pattern($1, squid_var_run_t) -') diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te deleted file mode 100644 index 4b2230e78..000000000 --- a/policy/modules/services/squid.te +++ /dev/null @@ -1,208 +0,0 @@ -policy_module(squid, 1.10.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow squid to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

-## -gen_tunable(squid_connect_any, false) - -## -##

-## Allow squid to run as a transparent proxy (TPROXY) -##

-## -gen_tunable(squid_use_tproxy, false) - -type squid_t; -type squid_exec_t; -init_daemon_domain(squid_t, squid_exec_t) - -# type for /var/cache/squid -type squid_cache_t; -files_type(squid_cache_t) - -type squid_conf_t; -files_type(squid_conf_t) - -type squid_initrc_exec_t; -init_script_file(squid_initrc_exec_t) - -type squid_log_t; -logging_log_file(squid_log_t) - -type squid_tmpfs_t; -files_tmpfs_file(squid_tmpfs_t) - -type squid_var_run_t; -files_pid_file(squid_var_run_t) - -######################################## -# -# Local policy -# - -allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; -dontaudit squid_t self:capability sys_tty_config; -allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -allow squid_t self:fifo_file rw_fifo_file_perms; -allow squid_t self:sock_file read_sock_file_perms; -allow squid_t self:fd use; -allow squid_t self:shm create_shm_perms; -allow squid_t self:sem create_sem_perms; -allow squid_t self:msgq create_msgq_perms; -allow squid_t self:msg { send receive }; -allow squid_t self:unix_stream_socket create_stream_socket_perms; -allow squid_t self:unix_dgram_socket create_socket_perms; -allow squid_t self:unix_dgram_socket sendto; -allow squid_t self:unix_stream_socket connectto; -allow squid_t self:tcp_socket create_stream_socket_perms; -allow squid_t self:udp_socket create_socket_perms; - -# Grant permissions to create, access, and delete cache files. -manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) -manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) -manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) - -allow squid_t squid_conf_t:dir list_dir_perms; -read_files_pattern(squid_t, squid_conf_t, squid_conf_t) -read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t) - -can_exec(squid_t, squid_exec_t) - -manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) -manage_files_pattern(squid_t, squid_log_t, squid_log_t) -manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) -logging_log_filetrans(squid_t, squid_log_t, { file dir }) - -#squid requires the following when run in diskd mode, the recommended setting -manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) - -manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) -files_pid_filetrans(squid_t, squid_var_run_t, file) - -kernel_read_kernel_sysctls(squid_t) -kernel_read_system_state(squid_t) - -files_dontaudit_getattr_boot_dirs(squid_t) - -corenet_all_recvfrom_unlabeled(squid_t) -corenet_all_recvfrom_netlabel(squid_t) -corenet_tcp_sendrecv_generic_if(squid_t) -corenet_udp_sendrecv_generic_if(squid_t) -corenet_tcp_sendrecv_generic_node(squid_t) -corenet_udp_sendrecv_generic_node(squid_t) -corenet_tcp_sendrecv_all_ports(squid_t) -corenet_udp_sendrecv_all_ports(squid_t) -corenet_tcp_bind_generic_node(squid_t) -corenet_udp_bind_generic_node(squid_t) -corenet_tcp_bind_http_port(squid_t) -corenet_tcp_bind_http_cache_port(squid_t) -corenet_udp_bind_http_cache_port(squid_t) -corenet_tcp_bind_ftp_port(squid_t) -corenet_tcp_bind_gopher_port(squid_t) -corenet_udp_bind_gopher_port(squid_t) -corenet_tcp_bind_squid_port(squid_t) -corenet_udp_bind_squid_port(squid_t) -corenet_udp_bind_wccp_port(squid_t) -corenet_tcp_connect_ftp_port(squid_t) -corenet_tcp_connect_gopher_port(squid_t) -corenet_tcp_connect_http_port(squid_t) -corenet_tcp_connect_http_cache_port(squid_t) -corenet_tcp_connect_pgpkeyserver_port(squid_t) -corenet_sendrecv_ftp_client_packets(squid_t) -corenet_sendrecv_gopher_client_packets(squid_t) -corenet_sendrecv_http_client_packets(squid_t) -corenet_sendrecv_http_server_packets(squid_t) -corenet_sendrecv_http_cache_server_packets(squid_t) -corenet_sendrecv_http_cache_client_packets(squid_t) -corenet_sendrecv_pgpkeyserver_client_packets(squid_t) -corenet_sendrecv_squid_client_packets(squid_t) -corenet_sendrecv_squid_server_packets(squid_t) -corenet_sendrecv_wccp_server_packets(squid_t) - -dev_read_sysfs(squid_t) -dev_read_urand(squid_t) - -fs_getattr_all_fs(squid_t) -fs_search_auto_mountpoints(squid_t) -fs_list_inotifyfs(squid_t) - -selinux_dontaudit_getattr_dir(squid_t) - -term_dontaudit_getattr_pty_dirs(squid_t) - -# to allow running programs from /usr/lib/squid (IE unlinkd) -corecmd_exec_bin(squid_t) -corecmd_exec_shell(squid_t) - -domain_use_interactive_fds(squid_t) - -files_read_etc_files(squid_t) -files_read_etc_runtime_files(squid_t) -files_read_usr_files(squid_t) -files_search_spool(squid_t) -files_dontaudit_getattr_tmp_dirs(squid_t) -files_getattr_home_dir(squid_t) - -auth_use_nsswitch(squid_t) -auth_domtrans_chk_passwd(squid_t) - -# to allow running programs from /usr/lib/squid (IE unlinkd) -libs_exec_lib_files(squid_t) - -logging_send_syslog_msg(squid_t) - -miscfiles_read_generic_certs(squid_t) -miscfiles_read_localization(squid_t) - -userdom_use_unpriv_users_fds(squid_t) -userdom_dontaudit_search_user_home_dirs(squid_t) - -tunable_policy(`squid_connect_any',` - corenet_tcp_connect_all_ports(squid_t) - corenet_tcp_bind_all_ports(squid_t) - corenet_sendrecv_all_packets(squid_t) -') - -tunable_policy(`squid_use_tproxy',` - allow squid_t self:capability net_admin; - corenet_tcp_bind_netport_port(squid_t) -') - -optional_policy(` - apache_content_template(squid) - - allow httpd_squid_script_t self:tcp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_squid_script_t) - corenet_all_recvfrom_netlabel(httpd_squid_script_t) - corenet_tcp_connect_http_cache_port(httpd_squid_script_t) - - sysnet_dns_name_resolve(httpd_squid_script_t) - - squid_read_config(httpd_squid_script_t) -') - -optional_policy(` - cron_system_entry(squid_t, squid_exec_t) -') - -optional_policy(` - samba_domtrans_winbind_helper(squid_t) -') - -optional_policy(` - seutil_sigchld_newrole(squid_t) -') - -optional_policy(` - udev_read_db(squid_t) -') diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 22adacadb..6f9eed133 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -248,7 +248,9 @@ template(`ssh_server_template', ` userdom_search_user_home_dirs($1_t) # Allow checking users mail at login - mta_getattr_spool($1_t) + optional_policy(` + mta_getattr_spool($1_t) + ') tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc deleted file mode 100644 index 4271815b8..000000000 --- a/policy/modules/services/sssd.fc +++ /dev/null @@ -1,11 +0,0 @@ -/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) - -/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) - -/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) - -/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - -/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) - -/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if deleted file mode 100644 index 941380a73..000000000 --- a/policy/modules/services/sssd.if +++ /dev/null @@ -1,255 +0,0 @@ -## System Security Services Daemon - -######################################## -## -## Execute a domain transition to run sssd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sssd_domtrans',` - gen_require(` - type sssd_t, sssd_exec_t; - ') - - domtrans_pattern($1, sssd_exec_t, sssd_t) -') - -######################################## -## -## Execute sssd server in the sssd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`sssd_initrc_domtrans',` - gen_require(` - type sssd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sssd_initrc_exec_t) -') - -######################################## -## -## Read sssd public files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_read_public_files',` - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - read_files_pattern($1, sssd_public_t, sssd_public_t) -') - -######################################## -## -## Read sssd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_read_pid_files',` - gen_require(` - type sssd_var_run_t; - ') - - files_search_pids($1) - allow $1 sssd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage sssd var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_manage_pids',` - gen_require(` - type sssd_var_run_t; - ') - - manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) -') - -######################################## -## -## Search sssd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - allow $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Do not audit attempts to search sssd lib directories. -## -## -## -## Domain to not audit. -## -## -# -interface(`sssd_dontaudit_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - dontaudit $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read sssd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_read_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## sssd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_manage_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## -## Send and receive messages from -## sssd over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_dbus_chat',` - gen_require(` - type sssd_t; - class dbus send_msg; - ') - - allow $1 sssd_t:dbus send_msg; - allow sssd_t $1:dbus send_msg; -') - -######################################## -## -## Connect to sssd over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`sssd_stream_connect',` - gen_require(` - type sssd_t, sssd_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) -') - -######################################## -## -## All of the rules required to administrate -## an sssd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the sssd domain. -## -## -## -## -## The type of the user terminal. -## -## -## -# -interface(`sssd_admin',` - gen_require(` - type sssd_t, sssd_public_t; - type sssd_initrc_exec_t; - ') - - allow $1 sssd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, sssd_t, sssd_t) - - # Allow sssd_t to restart the apache service - sssd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sssd_initrc_exec_t system_r; - allow $2 system_r; - - sssd_manage_pids($1) - - sssd_manage_lib_files($1) - - admin_pattern($1, sssd_public_t) -') diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te deleted file mode 100644 index 8ffa2577e..000000000 --- a/policy/modules/services/sssd.te +++ /dev/null @@ -1,90 +0,0 @@ -policy_module(sssd, 1.1.0) - -######################################## -# -# Declarations -# - -type sssd_t; -type sssd_exec_t; -init_daemon_domain(sssd_t, sssd_exec_t) - -type sssd_initrc_exec_t; -init_script_file(sssd_initrc_exec_t) - -type sssd_public_t; -files_pid_file(sssd_public_t) - -type sssd_var_lib_t; -files_type(sssd_var_lib_t) - -type sssd_var_log_t; -logging_log_file(sssd_var_log_t) - -type sssd_var_run_t; -files_pid_file(sssd_var_run_t) - -######################################## -# -# sssd local policy -# -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; -allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; -allow sssd_t self:fifo_file rw_file_perms; -allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) - -manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) - -manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -logging_log_filetrans(sssd_t, sssd_var_log_t, file) - -manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) - -kernel_read_system_state(sssd_t) - -corecmd_exec_bin(sssd_t) - -dev_read_urand(sssd_t) - -domain_read_all_domains_state(sssd_t) -domain_obj_id_change_exemption(sssd_t) - -files_list_tmp(sssd_t) -files_read_etc_files(sssd_t) -files_read_usr_files(sssd_t) - -fs_list_inotifyfs(sssd_t) - -selinux_validate_context(sssd_t) - -seutil_read_file_contexts(sssd_t) - -mls_file_read_to_clearance(sssd_t) - -auth_use_nsswitch(sssd_t) -auth_domtrans_chk_passwd(sssd_t) -auth_domtrans_upd_passwd(sssd_t) - -init_read_utmp(sssd_t) - -logging_send_syslog_msg(sssd_t) -logging_send_audit_msgs(sssd_t) - -miscfiles_read_localization(sssd_t) - -optional_policy(` - dbus_system_bus_client(sssd_t) - dbus_connect_system_bus(sssd_t) -') - -optional_policy(` - kerberos_manage_host_rcache(sssd_t) -') diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc deleted file mode 100644 index 50e29aa8a..000000000 --- a/policy/modules/services/stunnel.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) - -/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - -/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - -/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if deleted file mode 100644 index 6073656f2..000000000 --- a/policy/modules/services/stunnel.if +++ /dev/null @@ -1,25 +0,0 @@ -## SSL Tunneling Proxy - -######################################## -## -## Define the specified domain as a stunnel inetd service. -## -## -## -## The type associated with the stunnel inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`stunnel_service_domain',` - gen_require(` - type stunnel_t; - ') - - domtrans_pattern(stunnel_t,$2,$1) - allow $1 stunnel_t:tcp_socket rw_socket_perms; -') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te deleted file mode 100644 index f646c666e..000000000 --- a/policy/modules/services/stunnel.te +++ /dev/null @@ -1,123 +0,0 @@ -policy_module(stunnel, 1.10.0) - -######################################## -# -# Declarations -# - -type stunnel_t; -domain_type(stunnel_t) -role system_r types stunnel_t; - -type stunnel_exec_t; -domain_entry_file(stunnel_t, stunnel_exec_t) - -ifdef(`distro_gentoo',` - init_daemon_domain(stunnel_t, stunnel_exec_t) -',` - inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) -') - -type stunnel_etc_t; -files_config_file(stunnel_etc_t) - -type stunnel_tmp_t; -files_tmp_file(stunnel_tmp_t) - -type stunnel_var_run_t; -files_pid_file(stunnel_var_run_t) - -######################################## -# -# Local policy -# - -allow stunnel_t self:capability { setgid setuid sys_chroot }; -allow stunnel_t self:process signal_perms; -allow stunnel_t self:fifo_file rw_fifo_file_perms; -allow stunnel_t self:tcp_socket create_stream_socket_perms; -allow stunnel_t self:udp_socket create_socket_perms; - -allow stunnel_t stunnel_etc_t:dir list_dir_perms; -allow stunnel_t stunnel_etc_t:file read_file_perms; -allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; - -manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) - -manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file }) - -kernel_read_kernel_sysctls(stunnel_t) -kernel_read_system_state(stunnel_t) -kernel_read_network_state(stunnel_t) - -corecmd_exec_bin(stunnel_t) - -corenet_all_recvfrom_unlabeled(stunnel_t) -corenet_all_recvfrom_netlabel(stunnel_t) -corenet_tcp_sendrecv_generic_if(stunnel_t) -corenet_udp_sendrecv_generic_if(stunnel_t) -corenet_tcp_sendrecv_generic_node(stunnel_t) -corenet_udp_sendrecv_generic_node(stunnel_t) -corenet_tcp_sendrecv_all_ports(stunnel_t) -corenet_udp_sendrecv_all_ports(stunnel_t) -corenet_tcp_bind_generic_node(stunnel_t) -corenet_tcp_connect_all_ports(stunnel_t) - -fs_getattr_all_fs(stunnel_t) - -auth_use_nsswitch(stunnel_t) - -logging_send_syslog_msg(stunnel_t) - -miscfiles_read_localization(stunnel_t) - -sysnet_read_config(stunnel_t) - -ifdef(`distro_gentoo', ` - dontaudit stunnel_t self:capability sys_tty_config; - allow stunnel_t self:udp_socket create_socket_perms; - - dev_read_sysfs(stunnel_t) - - fs_search_auto_mountpoints(stunnel_t) - - domain_use_interactive_fds(stunnel_t) - - userdom_dontaudit_use_unpriv_user_fds(stunnel_t) - userdom_dontaudit_search_user_home_dirs(stunnel_t) - - optional_policy(` - daemontools_service_domain(stunnel_t, stunnel_exec_t) - ') - - optional_policy(` - seutil_sigchld_newrole(stunnel_t) - ') - - optional_policy(` - udev_read_db(stunnel_t) - ') -',` - allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - - dev_read_urand(stunnel_t) - - files_read_etc_files(stunnel_t) - files_read_etc_runtime_files(stunnel_t) - files_search_home(stunnel_t) - - optional_policy(` - kerberos_use(stunnel_t) - ') -') - -# hack since this port has no interfaces since it doesnt -# have net_contexts -gen_require(` - type stunnel_port_t; -') -allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc deleted file mode 100644 index 08d999cf5..000000000 --- a/policy/modules/services/sysstat.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) - -/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if deleted file mode 100644 index 7a23b3b85..000000000 --- a/policy/modules/services/sysstat.if +++ /dev/null @@ -1,21 +0,0 @@ -## Policy for sysstat. Reports on various system states - -######################################## -## -## Manage sysstat logs. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`sysstat_manage_log',` - gen_require(` - type sysstat_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sysstat_log_t, sysstat_log_t) -') diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te deleted file mode 100644 index 52f0d6c29..000000000 --- a/policy/modules/services/sysstat.te +++ /dev/null @@ -1,70 +0,0 @@ -policy_module(sysstat, 1.6.0) - -######################################## -# -# Declarations -# - -type sysstat_t; -type sysstat_exec_t; -init_system_domain(sysstat_t, sysstat_exec_t) -role system_r types sysstat_t; - -type sysstat_log_t; -logging_log_file(sysstat_log_t) - -######################################## -# -# Local policy -# - -allow sysstat_t self:capability { dac_override sys_resource sys_tty_config }; -dontaudit sysstat_t self:capability sys_admin; -allow sysstat_t self:fifo_file rw_fifo_file_perms; - -can_exec(sysstat_t, sysstat_exec_t) - -manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) - -# get info from /proc -kernel_read_system_state(sysstat_t) -kernel_read_network_state(sysstat_t) -kernel_read_kernel_sysctls(sysstat_t) -kernel_read_fs_sysctls(sysstat_t) -kernel_read_rpc_sysctls(sysstat_t) - -corecmd_exec_bin(sysstat_t) - -dev_read_urand(sysstat_t) -dev_read_sysfs(sysstat_t) - -files_search_var(sysstat_t) -# for mtab -files_read_etc_runtime_files(sysstat_t) -#for fstab -files_read_etc_files(sysstat_t) - -fs_getattr_xattr_fs(sysstat_t) -fs_list_inotifyfs(sysstat_t) - -term_use_console(sysstat_t) -term_use_all_terms(sysstat_t) - -init_use_fds(sysstat_t) - -locallogin_use_fds(sysstat_t) - -miscfiles_read_localization(sysstat_t) - -userdom_dontaudit_list_user_home_dirs(sysstat_t) - -optional_policy(` - cron_system_entry(sysstat_t, sysstat_exec_t) -') - -optional_policy(` - logging_send_syslog_msg(sysstat_t) -') diff --git a/policy/modules/services/tcpd.fc b/policy/modules/services/tcpd.fc deleted file mode 100644 index 2e8d7a1d3..000000000 --- a/policy/modules/services/tcpd.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if deleted file mode 100644 index 2075ebb59..000000000 --- a/policy/modules/services/tcpd.if +++ /dev/null @@ -1,45 +0,0 @@ -## Policy for TCP daemon. - -######################################## -## -## Execute tcpd in the tcpd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tcpd_domtrans',` - gen_require(` - type tcpd_t, tcpd_exec_t; - ') - - domtrans_pattern($1, tcpd_exec_t, tcpd_t) -') - -######################################## -## -## Create a domain for services that -## utilize tcp wrappers. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# -interface(`tcpd_wrapped_domain',` - gen_require(` - type tcpd_t; - role system_r; - ') - - domtrans_pattern(tcpd_t, $2, $1) - role system_r types $1; -') diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te deleted file mode 100644 index 7038b5591..000000000 --- a/policy/modules/services/tcpd.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(tcpd, 1.4.0) - -######################################## -# -# Declarations -# -type tcpd_t; -type tcpd_exec_t; -inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) -role system_r types tcpd_t; - -type tcpd_tmp_t; -files_tmp_file(tcpd_tmp_t) - -######################################## -# -# Local policy -# -allow tcpd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) -manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) -files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) - -corenet_all_recvfrom_unlabeled(tcpd_t) -corenet_all_recvfrom_netlabel(tcpd_t) -corenet_tcp_sendrecv_generic_if(tcpd_t) -corenet_tcp_sendrecv_generic_node(tcpd_t) -corenet_tcp_sendrecv_all_ports(tcpd_t) - -fs_getattr_xattr_fs(tcpd_t) - -# Run other daemons in the inetd child domain. -corecmd_search_bin(tcpd_t) - -files_read_etc_files(tcpd_t) -# no good reason for files_dontaudit_search_var, probably nscd -files_dontaudit_search_var(tcpd_t) - -logging_send_syslog_msg(tcpd_t) - -miscfiles_read_localization(tcpd_t) - -sysnet_read_config(tcpd_t) - -inetd_domtrans_child(tcpd_t) - -optional_policy(` - nis_use_ypbind(tcpd_t) -') diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc deleted file mode 100644 index 1a6527cd6..000000000 --- a/policy/modules/services/tcsd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) -/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) -/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if deleted file mode 100644 index 595f5a7e7..000000000 --- a/policy/modules/services/tcsd.if +++ /dev/null @@ -1,150 +0,0 @@ -## TSS Core Services (TCS) daemon (tcsd) policy - -######################################## -## -## Execute a domain transition to run tcsd. -## -## -## -## Domain allowed access. -## -## -# -interface(`tcsd_domtrans',` - gen_require(` - type tcsd_t, tcsd_exec_t; - ') - - domtrans_pattern($1, tcsd_exec_t, tcsd_t) -') - -######################################## -## -## Execute tcsd server in the tcsd domain. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`tcsd_initrc_domtrans',` - gen_require(` - type tcsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, tcsd_initrc_exec_t) -') - -######################################## -## -## Search tcsd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`tcsd_search_lib',` - gen_require(` - type tcsd_var_lib_t; - ') - - allow $1 tcsd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Manage tcsd lib dirs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tcsd_manage_lib_dirs',` - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -') - -######################################## -## -## Read tcsd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tcsd_read_lib_files',` - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## tcsd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tcsd_manage_lib_files',` - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an tcsd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tcsd_admin',` - gen_require(` - type tcsd_t; - type tcsd_initrc_exec_t; - type tcsd_var_lib_t; - ') - - allow $1 tcsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tcsd_t) - - tcsd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tcsd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_var_lib($1) - admin_pattern($1, tcsd_var_lib_t) -') diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te deleted file mode 100644 index ee9f3c6ea..000000000 --- a/policy/modules/services/tcsd.te +++ /dev/null @@ -1,50 +0,0 @@ -policy_module(tcsd, 1.0.0) - -######################################## -# -# Declarations -# - -type tcsd_t; -type tcsd_exec_t; -domain_type(tcsd_t) -init_daemon_domain(tcsd_t, tcsd_exec_t) - -type tcsd_initrc_exec_t; -init_script_file(tcsd_initrc_exec_t) - -type tcsd_var_lib_t; -files_type(tcsd_var_lib_t) - -######################################## -# -# tcsd local policy -# - -allow tcsd_t self:capability { dac_override setuid }; -allow tcsd_t self:process { signal sigkill }; -allow tcsd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) -manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) -files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) - -# Accept connections on the TCS port over loopback. -corenet_all_recvfrom_unlabeled(tcsd_t) -corenet_tcp_bind_generic_node(tcsd_t) -corenet_tcp_bind_tcs_port(tcsd_t) - -dev_read_urand(tcsd_t) -# Access /dev/tpm0. -dev_rw_tpm(tcsd_t) - -files_read_etc_files(tcsd_t) -files_read_usr_files(tcsd_t) - -auth_use_nsswitch(tcsd_t) - -logging_send_syslog_msg(tcsd_t) - -miscfiles_read_localization(tcsd_t) - -sysnet_dns_name_resolve(tcsd_t) diff --git a/policy/modules/services/telnet.fc b/policy/modules/services/telnet.fc deleted file mode 100644 index 7405170a1..000000000 --- a/policy/modules/services/telnet.fc +++ /dev/null @@ -1,4 +0,0 @@ - -/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) - -/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if deleted file mode 100644 index 58e7ec000..000000000 --- a/policy/modules/services/telnet.if +++ /dev/null @@ -1 +0,0 @@ -## Telnet daemon diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te deleted file mode 100644 index f40e67b15..000000000 --- a/policy/modules/services/telnet.te +++ /dev/null @@ -1,100 +0,0 @@ -policy_module(telnet, 1.10.0) - -######################################## -# -# Declarations -# - -type telnetd_t; -type telnetd_exec_t; -inetd_service_domain(telnetd_t, telnetd_exec_t) -role system_r types telnetd_t; - -type telnetd_devpts_t; #, userpty_type; -term_login_pty(telnetd_devpts_t) - -type telnetd_tmp_t; -files_tmp_file(telnetd_tmp_t) - -type telnetd_var_run_t; -files_pid_file(telnetd_var_run_t) - -######################################## -# -# Local policy -# - -allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; -allow telnetd_t self:process signal_perms; -allow telnetd_t self:fifo_file rw_fifo_file_perms; -allow telnetd_t self:tcp_socket connected_stream_socket_perms; -allow telnetd_t self:udp_socket create_socket_perms; -# for identd; cjp: this should probably only be inetd_child rules? -allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow telnetd_t self:capability { setuid setgid }; - -allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; -term_create_pty(telnetd_t, telnetd_devpts_t) - -manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) - -manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) -files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) - -kernel_read_kernel_sysctls(telnetd_t) -kernel_read_system_state(telnetd_t) -kernel_read_network_state(telnetd_t) - -corenet_all_recvfrom_unlabeled(telnetd_t) -corenet_all_recvfrom_netlabel(telnetd_t) -corenet_tcp_sendrecv_generic_if(telnetd_t) -corenet_udp_sendrecv_generic_if(telnetd_t) -corenet_tcp_sendrecv_generic_node(telnetd_t) -corenet_udp_sendrecv_generic_node(telnetd_t) -corenet_tcp_sendrecv_all_ports(telnetd_t) -corenet_udp_sendrecv_all_ports(telnetd_t) - -dev_read_urand(telnetd_t) - -domain_interactive_fd(telnetd_t) - -fs_getattr_xattr_fs(telnetd_t) - -auth_rw_login_records(telnetd_t) -auth_use_nsswitch(telnetd_t) - -corecmd_search_bin(telnetd_t) - -files_read_usr_files(telnetd_t) -files_read_etc_files(telnetd_t) -files_read_etc_runtime_files(telnetd_t) -# for identd; cjp: this should probably only be inetd_child rules? -files_search_home(telnetd_t) - -init_rw_utmp(telnetd_t) - -logging_send_syslog_msg(telnetd_t) - -miscfiles_read_localization(telnetd_t) - -seutil_read_config(telnetd_t) - -remotelogin_domtrans(telnetd_t) - -userdom_search_user_home_dirs(telnetd_t) -userdom_setattr_user_ptys(telnetd_t) - -optional_policy(` - kerberos_keytab_template(telnetd, telnetd_t) - kerberos_manage_host_rcache(telnetd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(telnetd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(telnetd_t) -') diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc deleted file mode 100644 index 25eee4396..000000000 --- a/policy/modules/services/tftp.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) -/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) - -/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) -/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) - -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if deleted file mode 100644 index 38bb3127d..000000000 --- a/policy/modules/services/tftp.if +++ /dev/null @@ -1,67 +0,0 @@ -## Trivial file transfer protocol daemon - -######################################## -## -## Read tftp content -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_read_content',` - gen_require(` - type tftpdir_t; - ') - - read_files_pattern($1, tftpdir_t, tftpdir_t) -') - -######################################## -## -## Manage tftp /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tftp_manage_rw_content',` - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) - manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -') - -######################################## -## -## All of the rules required to administrate -## an tftp environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`tftp_admin',` - gen_require(` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; - ') - - allow $1 tftpd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, tftpd_t) - - admin_pattern($1, tftpdir_rw_t) - - admin_pattern($1, tftpdir_t) - - files_list_pids($1) - admin_pattern($1, tftpd_var_run_t) -') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te deleted file mode 100644 index d50c10d0a..000000000 --- a/policy/modules/services/tftp.te +++ /dev/null @@ -1,106 +0,0 @@ -policy_module(tftp, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow tftp to modify public files -## used for public file transfer services. -##

-## -gen_tunable(tftp_anon_write, false) - -type tftpd_t; -type tftpd_exec_t; -init_daemon_domain(tftpd_t, tftpd_exec_t) - -type tftpd_var_run_t; -files_pid_file(tftpd_var_run_t) - -type tftpdir_t; -files_type(tftpdir_t) - -type tftpdir_rw_t; -files_type(tftpdir_rw_t) - -######################################## -# -# Local policy -# - -allow tftpd_t self:capability { setgid setuid sys_chroot }; -allow tftpd_t self:tcp_socket create_stream_socket_perms; -allow tftpd_t self:udp_socket create_socket_perms; -allow tftpd_t self:unix_dgram_socket create_socket_perms; -allow tftpd_t self:unix_stream_socket create_stream_socket_perms; -dontaudit tftpd_t self:capability sys_tty_config; - -allow tftpd_t tftpdir_t:dir list_dir_perms; -allow tftpd_t tftpdir_t:file read_file_perms; -allow tftpd_t tftpdir_t:lnk_file { getattr read }; - -manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) - -manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) -files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) - -kernel_read_system_state(tftpd_t) -kernel_read_kernel_sysctls(tftpd_t) - -corenet_all_recvfrom_unlabeled(tftpd_t) -corenet_all_recvfrom_netlabel(tftpd_t) -corenet_tcp_sendrecv_generic_if(tftpd_t) -corenet_udp_sendrecv_generic_if(tftpd_t) -corenet_tcp_sendrecv_generic_node(tftpd_t) -corenet_udp_sendrecv_generic_node(tftpd_t) -corenet_tcp_sendrecv_all_ports(tftpd_t) -corenet_udp_sendrecv_all_ports(tftpd_t) -corenet_tcp_bind_generic_node(tftpd_t) -corenet_udp_bind_generic_node(tftpd_t) -corenet_udp_bind_tftp_port(tftpd_t) -corenet_sendrecv_tftp_server_packets(tftpd_t) - -dev_read_sysfs(tftpd_t) - -fs_getattr_all_fs(tftpd_t) -fs_search_auto_mountpoints(tftpd_t) - -domain_use_interactive_fds(tftpd_t) - -files_read_etc_files(tftpd_t) -files_read_etc_runtime_files(tftpd_t) -files_read_var_files(tftpd_t) -files_read_var_symlinks(tftpd_t) -files_search_var(tftpd_t) - -auth_use_nsswitch(tftpd_t) - -logging_send_syslog_msg(tftpd_t) - -miscfiles_read_localization(tftpd_t) -miscfiles_read_public_files(tftpd_t) - -userdom_dontaudit_use_unpriv_user_fds(tftpd_t) -userdom_dontaudit_use_user_terminals(tftpd_t) -userdom_dontaudit_search_user_home_dirs(tftpd_t) - -tunable_policy(`tftp_anon_write',` - miscfiles_manage_public_files(tftpd_t) -') - -optional_policy(` - inetd_udp_service_domain(tftpd_t, tftpd_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(tftpd_t) -') - -optional_policy(` - udev_read_db(tftpd_t) -') diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc deleted file mode 100644 index 8294f6fc7..000000000 --- a/policy/modules/services/tgtd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) -/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) -/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if deleted file mode 100644 index c2ed23a8b..000000000 --- a/policy/modules/services/tgtd.if +++ /dev/null @@ -1,46 +0,0 @@ -## Linux Target Framework Daemon. -## -##

-## Linux target framework (tgt) aims to simplify various -## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation -## and maintenance. Our key goals are the clean integration into -## the scsi-mid layer and implementing a great portion of tgt -## in user space. -##

-## - -##################################### -## -## Allow read and write access to tgtd semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`tgtd_rw_semaphores',` - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem rw_sem_perms; -') - -###################################### -## -## Manage tgtd sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`tgtd_manage_semaphores',` - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem create_sem_perms; -') diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te deleted file mode 100644 index 80fe75ce7..000000000 --- a/policy/modules/services/tgtd.te +++ /dev/null @@ -1,66 +0,0 @@ -policy_module(tgtd, 1.2.0) - -######################################## -# -# TGTD personal declarations. -# - -type tgtd_t; -type tgtd_exec_t; -init_daemon_domain(tgtd_t, tgtd_exec_t) - -type tgtd_initrc_exec_t; -init_script_file(tgtd_initrc_exec_t) - -type tgtd_tmp_t; -files_tmp_file(tgtd_tmp_t) - -type tgtd_tmpfs_t; -files_tmpfs_file(tgtd_tmpfs_t) - -type tgtd_var_lib_t; -files_type(tgtd_var_lib_t) - -######################################## -# -# TGTD personal policy. -# - -allow tgtd_t self:capability sys_resource; -allow tgtd_t self:process { setrlimit signal }; -allow tgtd_t self:fifo_file rw_fifo_file_perms; -allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; -allow tgtd_t self:shm create_shm_perms; -allow tgtd_t self:sem create_sem_perms; -allow tgtd_t self:tcp_socket create_stream_socket_perms; -allow tgtd_t self:udp_socket create_socket_perms; -allow tgtd_t self:unix_dgram_socket create_socket_perms; - -manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) -files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file }) - -manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) -fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) - -manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) -manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) -files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) - -kernel_read_fs_sysctls(tgtd_t) - -corenet_all_recvfrom_netlabel(tgtd_t) -corenet_all_recvfrom_unlabeled(tgtd_t) -corenet_tcp_sendrecv_generic_if(tgtd_t) -corenet_tcp_sendrecv_generic_node(tgtd_t) -corenet_tcp_sendrecv_iscsi_port(tgtd_t) -corenet_tcp_bind_generic_node(tgtd_t) -corenet_tcp_bind_iscsi_port(tgtd_t) -corenet_sendrecv_iscsi_server_packets(tgtd_t) - -files_read_etc_files(tgtd_t) - -storage_manage_fixed_disk(tgtd_t) - -logging_send_syslog_msg(tgtd_t) - -miscfiles_read_localization(tgtd_t) diff --git a/policy/modules/services/timidity.fc b/policy/modules/services/timidity.fc deleted file mode 100644 index ed5eef382..000000000 --- a/policy/modules/services/timidity.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0) diff --git a/policy/modules/services/timidity.if b/policy/modules/services/timidity.if deleted file mode 100644 index 989b24092..000000000 --- a/policy/modules/services/timidity.if +++ /dev/null @@ -1 +0,0 @@ -## MIDI to WAV converter and player configured as a service diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te deleted file mode 100644 index 67b5592f6..000000000 --- a/policy/modules/services/timidity.te +++ /dev/null @@ -1,85 +0,0 @@ -policy_module(timidity, 1.9.0) - -# Note: You only need this policy if you want to run timidity as a server - -######################################## -# -# Declarations -# - -type timidity_t; -type timidity_exec_t; -init_daemon_domain(timidity_t, timidity_exec_t) -application_domain(timidity_t, timidity_exec_t) - -type timidity_tmpfs_t; -files_tmpfs_file(timidity_tmpfs_t) - -######################################## -# -# Local policy -# - -allow timidity_t self:capability { dac_override dac_read_search }; -dontaudit timidity_t self:capability sys_tty_config; -allow timidity_t self:process { signal_perms getsched }; -allow timidity_t self:shm create_shm_perms; -allow timidity_t self:unix_stream_socket create_stream_socket_perms; -allow timidity_t self:tcp_socket create_stream_socket_perms; -allow timidity_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t) -fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -kernel_read_kernel_sysctls(timidity_t) -# read /proc/cpuinfo -kernel_read_system_state(timidity_t) - -corenet_all_recvfrom_unlabeled(timidity_t) -corenet_all_recvfrom_netlabel(timidity_t) -corenet_tcp_sendrecv_generic_if(timidity_t) -corenet_udp_sendrecv_generic_if(timidity_t) -corenet_tcp_sendrecv_generic_node(timidity_t) -corenet_udp_sendrecv_generic_node(timidity_t) -corenet_tcp_sendrecv_all_ports(timidity_t) -corenet_udp_sendrecv_all_ports(timidity_t) - -dev_read_sysfs(timidity_t) -dev_read_sound(timidity_t) -dev_write_sound(timidity_t) - -fs_search_auto_mountpoints(timidity_t) - -domain_use_interactive_fds(timidity_t) - -files_search_tmp(timidity_t) -# read /usr/share/alsa/alsa.conf -files_read_usr_files(timidity_t) -# read /etc/esd.conf -files_read_etc_files(timidity_t) - -# read libartscbackend.la -libs_read_lib_files(timidity_t) - -logging_send_syslog_msg(timidity_t) - -sysnet_read_config(timidity_t) - -userdom_dontaudit_use_unpriv_user_fds(timidity_t) - -# stupid timidity won't start if it can't search its current directory. -# allow this so /etc/init.d/alsasound start works from /root -# cjp: this should be fixed if possible so this rule can be removed. -userdom_search_user_home_dirs(timidity_t) - -optional_policy(` - seutil_sigchld_newrole(timidity_t) -') - -optional_policy(` - udev_read_db(timidity_t) -') diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc deleted file mode 100644 index e2e06b286..000000000 --- a/policy/modules/services/tor.fc +++ /dev/null @@ -1,12 +0,0 @@ -/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) -/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) - -/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) -/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) - -/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) -/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) - -/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) - -/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if deleted file mode 100644 index 904f13e10..000000000 --- a/policy/modules/services/tor.if +++ /dev/null @@ -1,64 +0,0 @@ -## TOR, the onion router - -######################################## -## -## Execute a domain transition to run TOR. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tor_domtrans',` - gen_require(` - type tor_t, tor_exec_t; - ') - - domtrans_pattern($1, tor_exec_t, tor_t) -') - -######################################## -## -## All of the rules required to administrate -## an tor environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the tor domain. -## -## -## -# -interface(`tor_admin',` - gen_require(` - type tor_t, tor_var_log_t, tor_etc_t; - type tor_var_lib_t, tor_var_run_t; - type tor_initrc_exec_t; - ') - - allow $1 tor_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, tor_t) - - init_labeled_script_domtrans($1, tor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tor_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, tor_etc_t) - - files_list_var_lib($1) - admin_pattern($1, tor_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, tor_var_log_t) - - files_list_pids($1) - admin_pattern($1, tor_var_run_t) -') diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te deleted file mode 100644 index c842cadf2..000000000 --- a/policy/modules/services/tor.te +++ /dev/null @@ -1,120 +0,0 @@ -policy_module(tor, 1.8.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow tor daemon to bind -## tcp sockets to all unreserved ports. -##

-## -gen_tunable(tor_bind_all_unreserved_ports, false) - -type tor_t; -type tor_exec_t; -init_daemon_domain(tor_t, tor_exec_t) - -# etc/tor -type tor_etc_t; -files_config_file(tor_etc_t) - -type tor_initrc_exec_t; -init_script_file(tor_initrc_exec_t) - -# var/lib/tor -type tor_var_lib_t; -files_type(tor_var_lib_t) - -# log files -type tor_var_log_t; -logging_log_file(tor_var_log_t) - -# pid files -type tor_var_run_t; -files_pid_file(tor_var_run_t) - -######################################## -# -# tor local policy -# - -allow tor_t self:capability { setgid setuid sys_tty_config }; -allow tor_t self:fifo_file rw_fifo_file_perms; -allow tor_t self:unix_stream_socket create_stream_socket_perms; -allow tor_t self:netlink_route_socket r_netlink_socket_perms; -allow tor_t self:tcp_socket create_stream_socket_perms; - -# configuration files -allow tor_t tor_etc_t:dir list_dir_perms; -read_files_pattern(tor_t, tor_etc_t, tor_etc_t) -read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t) - -# var/lib/tor files -manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -files_usr_filetrans(tor_t, tor_var_lib_t, file) -files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file }) -files_var_lib_filetrans(tor_t, tor_var_lib_t, file) - -# log files -allow tor_t tor_var_log_t:dir setattr; -manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) -logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) - -# pid file -manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) - -kernel_read_system_state(tor_t) - -# networking basics -corenet_all_recvfrom_unlabeled(tor_t) -corenet_all_recvfrom_netlabel(tor_t) -corenet_tcp_sendrecv_generic_if(tor_t) -corenet_udp_sendrecv_generic_if(tor_t) -corenet_tcp_sendrecv_generic_node(tor_t) -corenet_udp_sendrecv_generic_node(tor_t) -corenet_tcp_sendrecv_all_ports(tor_t) -corenet_udp_sendrecv_dns_port(tor_t) -corenet_tcp_sendrecv_all_reserved_ports(tor_t) -corenet_tcp_bind_generic_node(tor_t) -corenet_udp_bind_generic_node(tor_t) -corenet_tcp_bind_tor_port(tor_t) -corenet_udp_bind_dns_port(tor_t) -corenet_sendrecv_tor_server_packets(tor_t) -corenet_sendrecv_dns_server_packets(tor_t) -# TOR will need to connect to various ports -corenet_tcp_connect_all_ports(tor_t) -corenet_sendrecv_all_client_packets(tor_t) -# ... especially including port 80 and other privileged ports -corenet_tcp_connect_all_reserved_ports(tor_t) - -# tor uses crypto and needs random -dev_read_urand(tor_t) - -domain_use_interactive_fds(tor_t) - -files_read_etc_files(tor_t) -files_read_etc_runtime_files(tor_t) -files_read_usr_files(tor_t) - -auth_use_nsswitch(tor_t) - -logging_send_syslog_msg(tor_t) - -miscfiles_read_localization(tor_t) - -tunable_policy(`tor_bind_all_unreserved_ports', ` - corenet_tcp_bind_all_unreserved_ports(tor_t) -') - -optional_policy(` - seutil_sigchld_newrole(tor_t) -') diff --git a/policy/modules/services/transproxy.fc b/policy/modules/services/transproxy.fc deleted file mode 100644 index ce33f1791..000000000 --- a/policy/modules/services/transproxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) - -/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) diff --git a/policy/modules/services/transproxy.if b/policy/modules/services/transproxy.if deleted file mode 100644 index 23323f9a3..000000000 --- a/policy/modules/services/transproxy.if +++ /dev/null @@ -1 +0,0 @@ -## HTTP transperant proxy diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te deleted file mode 100644 index 95cf0c076..000000000 --- a/policy/modules/services/transproxy.te +++ /dev/null @@ -1,65 +0,0 @@ -policy_module(transproxy, 1.7.0) - -######################################## -# -# Declarations -# - -type transproxy_t; -type transproxy_exec_t; -init_daemon_domain(transproxy_t, transproxy_exec_t) - -type transproxy_var_run_t; -files_pid_file(transproxy_var_run_t) - -######################################## -# -# Local policy -# - -allow transproxy_t self:capability { setgid setuid }; -dontaudit transproxy_t self:capability sys_tty_config; -allow transproxy_t self:process signal_perms; -allow transproxy_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t) -files_pid_filetrans(transproxy_t, transproxy_var_run_t, file) - -kernel_read_kernel_sysctls(transproxy_t) -kernel_list_proc(transproxy_t) -kernel_read_proc_symlinks(transproxy_t) - -corenet_all_recvfrom_unlabeled(transproxy_t) -corenet_all_recvfrom_netlabel(transproxy_t) -corenet_tcp_sendrecv_generic_if(transproxy_t) -corenet_tcp_sendrecv_generic_node(transproxy_t) -corenet_tcp_sendrecv_all_ports(transproxy_t) -corenet_tcp_bind_generic_node(transproxy_t) -corenet_tcp_bind_transproxy_port(transproxy_t) -corenet_sendrecv_transproxy_server_packets(transproxy_t) - -dev_read_sysfs(transproxy_t) - -domain_use_interactive_fds(transproxy_t) - -files_read_etc_files(transproxy_t) - -fs_getattr_all_fs(transproxy_t) -fs_search_auto_mountpoints(transproxy_t) - -logging_send_syslog_msg(transproxy_t) - -miscfiles_read_localization(transproxy_t) - -sysnet_read_config(transproxy_t) - -userdom_dontaudit_use_unpriv_user_fds(transproxy_t) -userdom_dontaudit_search_user_home_dirs(transproxy_t) - -optional_policy(` - seutil_sigchld_newrole(transproxy_t) -') - -optional_policy(` - udev_read_db(transproxy_t) -') diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc deleted file mode 100644 index 639c962c6..000000000 --- a/policy/modules/services/tuned.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) - -/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) - -/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) -/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) - -/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if deleted file mode 100644 index 54b86059b..000000000 --- a/policy/modules/services/tuned.if +++ /dev/null @@ -1,129 +0,0 @@ -## Dynamic adaptive system tuning daemon - -######################################## -## -## Execute a domain transition to run tuned. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`tuned_domtrans',` - gen_require(` - type tuned_t, tuned_exec_t; - ') - - domtrans_pattern($1, tuned_exec_t, tuned_t) -') - -####################################### -## -## Execute tuned in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_exec',` - gen_require(` - type tuned_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, tuned_exec_t) -') - -###################################### -## -## Read tuned PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_read_pid_files',` - gen_require(` - type tuned_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) -') - -####################################### -## -## Manage tuned PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_manage_pid_files',` - gen_require(` - type tuned_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) -') - -######################################## -## -## Execute tuned server in the tuned domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`tuned_initrc_domtrans',` - gen_require(` - type tuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, tuned_initrc_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an tuned environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`tuned_admin',` - gen_require(` - type tuned_t, tuned_var_run_t; - type tuned_initrc_exec_t; - ') - - allow $1 tuned_t:process { ptrace signal_perms }; - ps_process_pattern($1, tuned_t) - - tuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tuned_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) - admin_pattern($1, tuned_var_run_t) -') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te deleted file mode 100644 index db9d2a594..000000000 --- a/policy/modules/services/tuned.te +++ /dev/null @@ -1,64 +0,0 @@ -policy_module(tuned, 1.1.0) - -######################################## -# -# Declarations -# - -type tuned_t; -type tuned_exec_t; -init_daemon_domain(tuned_t, tuned_exec_t) - -type tuned_initrc_exec_t; -init_script_file(tuned_initrc_exec_t) - -type tuned_log_t; -logging_log_file(tuned_log_t) - -type tuned_var_run_t; -files_pid_file(tuned_var_run_t) - -######################################## -# -# tuned local policy -# - -dontaudit tuned_t self:capability { dac_override sys_tty_config }; - -manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) -manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -logging_log_filetrans(tuned_t, tuned_log_t, file) - -manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -files_pid_filetrans(tuned_t, tuned_var_run_t, file) - -corecmd_exec_shell(tuned_t) -corecmd_exec_bin(tuned_t) - -kernel_read_system_state(tuned_t) -kernel_read_network_state(tuned_t) - -dev_read_urand(tuned_t) -dev_read_sysfs(tuned_t) -# to allow cpu tuning -dev_rw_netcontrol(tuned_t) - -files_read_etc_files(tuned_t) -files_read_usr_files(tuned_t) -files_dontaudit_search_home(tuned_t) - -logging_send_syslog_msg(tuned_t) - -miscfiles_read_localization(tuned_t) - -userdom_dontaudit_search_user_home_dirs(tuned_t) - -# to allow disk tuning -optional_policy(` - fstools_domtrans(tuned_t) -') - -# to allow network interface tuning -optional_policy(` - sysnet_domtrans_ifconfig(tuned_t) -') diff --git a/policy/modules/services/ucspitcp.fc b/policy/modules/services/ucspitcp.fc deleted file mode 100644 index 667d0b5ff..000000000 --- a/policy/modules/services/ucspitcp.fc +++ /dev/null @@ -1,3 +0,0 @@ - -/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0) -/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0) diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if deleted file mode 100644 index c1feba4f5..000000000 --- a/policy/modules/services/ucspitcp.if +++ /dev/null @@ -1,38 +0,0 @@ -## ucspitcp policy -## -##

-## Policy for DJB's ucspi-tcpd -##

-## - -######################################## -## -## Define a specified domain as a ucspitcp service. -## -## -## -## Domain allowed access. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`ucspitcp_service_domain', ` - gen_require(` - type ucspitcp_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domain_auto_trans(ucspitcp_t, $2, $1) - allow $1 ucspitcp_t:fd use; - allow $1 ucspitcp_t:process sigchld; - allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; -') diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te deleted file mode 100644 index a0794bf50..000000000 --- a/policy/modules/services/ucspitcp.te +++ /dev/null @@ -1,93 +0,0 @@ -policy_module(ucspitcp, 1.3.0) - -######################################## -# -# Declarations -# - -type rblsmtpd_t; -type rblsmtpd_exec_t; -init_system_domain(rblsmtpd_t, rblsmtpd_exec_t) -role system_r types rblsmtpd_t; - -type ucspitcp_t; -type ucspitcp_exec_t; -init_system_domain(ucspitcp_t, ucspitcp_exec_t) -role system_r types ucspitcp_t; - -######################################## -# -# Local policy for rblsmtpd -# - -ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) - -corecmd_search_bin(rblsmtpd_t) - -corenet_all_recvfrom_unlabeled(rblsmtpd_t) -corenet_all_recvfrom_netlabel(rblsmtpd_t) -corenet_tcp_sendrecv_generic_if(rblsmtpd_t) -corenet_udp_sendrecv_generic_if(rblsmtpd_t) -corenet_tcp_sendrecv_generic_node(rblsmtpd_t) -corenet_udp_sendrecv_generic_node(rblsmtpd_t) -corenet_tcp_sendrecv_all_ports(rblsmtpd_t) -corenet_udp_sendrecv_all_ports(rblsmtpd_t) -corenet_tcp_bind_generic_node(rblsmtpd_t) -corenet_udp_bind_generic_port(rblsmtpd_t) - -files_read_etc_files(rblsmtpd_t) -files_search_var(rblsmtpd_t) - -optional_policy(` - daemontools_ipc_domain(rblsmtpd_t) -') - -######################################## -# -# Local policy for tcpserver -# - -allow ucspitcp_t self:capability { setgid setuid }; -allow ucspitcp_t self:fifo_file rw_fifo_file_perms; -allow ucspitcp_t self:tcp_socket create_stream_socket_perms; -allow ucspitcp_t self:udp_socket create_socket_perms; - -corecmd_search_bin(ucspitcp_t) - -# base networking: -corenet_all_recvfrom_unlabeled(ucspitcp_t) -corenet_all_recvfrom_netlabel(ucspitcp_t) -corenet_tcp_sendrecv_generic_if(ucspitcp_t) -corenet_udp_sendrecv_generic_if(ucspitcp_t) -corenet_tcp_sendrecv_generic_node(ucspitcp_t) -corenet_udp_sendrecv_generic_node(ucspitcp_t) -corenet_tcp_sendrecv_all_ports(ucspitcp_t) -corenet_udp_sendrecv_all_ports(ucspitcp_t) -corenet_tcp_bind_generic_node(ucspitcp_t) -corenet_udp_bind_generic_node(ucspitcp_t) - -# server ports: -corenet_tcp_bind_ftp_port(ucspitcp_t) -corenet_tcp_bind_ftp_data_port(ucspitcp_t) -corenet_tcp_bind_http_port(ucspitcp_t) -corenet_tcp_bind_smtp_port(ucspitcp_t) -corenet_tcp_bind_dns_port(ucspitcp_t) -corenet_udp_bind_dns_port(ucspitcp_t) -corenet_udp_bind_generic_port(ucspitcp_t) - -# server packets: -corenet_sendrecv_ftp_server_packets(ucspitcp_t) -corenet_sendrecv_http_server_packets(ucspitcp_t) -corenet_sendrecv_smtp_server_packets(ucspitcp_t) -corenet_sendrecv_dns_server_packets(ucspitcp_t) -corenet_sendrecv_generic_server_packets(ucspitcp_t) - -files_search_var(ucspitcp_t) -files_read_etc_files(ucspitcp_t) - -sysnet_read_config(ucspitcp_t) - -optional_policy(` - daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) - daemontools_read_svc(ucspitcp_t) -') diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc deleted file mode 100644 index 831b4a36c..000000000 --- a/policy/modules/services/ulogd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) -/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) - -/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) -/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) - -/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if deleted file mode 100644 index d23be5cea..000000000 --- a/policy/modules/services/ulogd.if +++ /dev/null @@ -1,142 +0,0 @@ -## Iptables/netfilter userspace logging daemon. - -######################################## -## -## Execute a domain transition to run ulogd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`ulogd_domtrans',` - gen_require(` - type ulogd_t, ulogd_exec_t; - ') - - domtrans_pattern($1, ulogd_exec_t, ulogd_t) -') - -######################################## -## -## Allow the specified domain to read -## ulogd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ulogd_read_config',` - gen_require(` - type ulogd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) -') - -######################################## -## -## Allow the specified domain to read ulogd's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ulogd_read_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) -') - -####################################### -## -## Allow the specified domain to search ulogd's log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`ulogd_search_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir search_dir_perms; -') - -######################################## -## -## Allow the specified domain to append to ulogd's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`ulogd_append_log',` - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - allow $1 ulogd_var_log_t:file append_file_perms; -') - -######################################## -## -## All of the rules required to administrate -## an ulogd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`ulogd_admin',` - gen_require(` - type ulogd_t, ulogd_etc_t, ulogd_modules_t; - type ulogd_var_log_t, ulogd_initrc_exec_t; - ') - - allow $1 ulogd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ulogd_t) - - init_labeled_script_domtrans($1, ulogd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ulogd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, ulogd_etc_t) - - logging_list_logs($1) - admin_pattern($1, ulogd_var_log_t) - - files_list_usr($1) - admin_pattern($1, ulogd_modules_t) -') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te deleted file mode 100644 index 3b953f571..000000000 --- a/policy/modules/services/ulogd.te +++ /dev/null @@ -1,67 +0,0 @@ -policy_module(ulogd, 1.2.0) - -######################################## -# -# Declarations -# - -type ulogd_t; -type ulogd_exec_t; -init_daemon_domain(ulogd_t, ulogd_exec_t) - -# config files -type ulogd_etc_t; -files_type(ulogd_etc_t) - -type ulogd_initrc_exec_t; -init_script_file(ulogd_initrc_exec_t) - -# /usr/lib files -type ulogd_modules_t; -files_type(ulogd_modules_t) - -# log files -type ulogd_var_log_t; -logging_log_file(ulogd_var_log_t) - -######################################## -# -# ulogd local policy -# - -allow ulogd_t self:capability net_admin; -allow ulogd_t self:netlink_nflog_socket create_socket_perms; - -# config files -read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) - -# modules for ulogd -list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) -mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) - -# log files -manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - -files_read_etc_files(ulogd_t) -files_read_usr_files(ulogd_t) - -miscfiles_read_localization(ulogd_t) - -optional_policy(` - allow ulogd_t self:tcp_socket create_stream_socket_perms; - - mysql_stream_connect(ulogd_t) - mysql_tcp_connect(ulogd_t) - - sysnet_dns_name_resolve(ulogd_t) -') - -optional_policy(` - allow ulogd_t self:tcp_socket create_stream_socket_perms; - - postgresql_stream_connect(ulogd_t) - postgresql_tcp_connect(ulogd_t) - - sysnet_dns_name_resolve(ulogd_t) -') diff --git a/policy/modules/services/uptime.fc b/policy/modules/services/uptime.fc deleted file mode 100644 index e30d6fc0e..000000000 --- a/policy/modules/services/uptime.fc +++ /dev/null @@ -1,6 +0,0 @@ - -/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0) - -/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) - -/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) diff --git a/policy/modules/services/uptime.if b/policy/modules/services/uptime.if deleted file mode 100644 index 447abf76f..000000000 --- a/policy/modules/services/uptime.if +++ /dev/null @@ -1 +0,0 @@ -## Uptime daemon diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te deleted file mode 100644 index c2cf97e25..000000000 --- a/policy/modules/services/uptime.te +++ /dev/null @@ -1,73 +0,0 @@ -policy_module(uptime, 1.4.0) - -######################################## -# -# Declarations -# - -type uptimed_t; -type uptimed_exec_t; -init_daemon_domain(uptimed_t, uptimed_exec_t) - -type uptimed_etc_t alias etc_uptimed_t; -files_config_file(uptimed_etc_t) - -type uptimed_spool_t; -files_type(uptimed_spool_t) - -type uptimed_var_run_t; -files_pid_file(uptimed_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit uptimed_t self:capability sys_tty_config; -allow uptimed_t self:process signal_perms; -allow uptimed_t self:fifo_file write_file_perms; - -allow uptimed_t uptimed_etc_t:file read_file_perms; -files_search_etc(uptimed_t) - -allow uptimed_t uptimed_spool_t:file manage_file_perms; - -manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t) -files_pid_filetrans(uptimed_t, uptimed_var_run_t, file) - -manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) -manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) -files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file }) - -kernel_read_system_state(uptimed_t) -kernel_read_kernel_sysctls(uptimed_t) - -corecmd_exec_shell(uptimed_t) - -dev_read_sysfs(uptimed_t) - -domain_use_interactive_fds(uptimed_t) - -files_read_etc_runtime_files(uptimed_t) - -fs_getattr_all_fs(uptimed_t) -fs_search_auto_mountpoints(uptimed_t) - -logging_send_syslog_msg(uptimed_t) - -miscfiles_read_localization(uptimed_t) - -userdom_dontaudit_use_unpriv_user_fds(uptimed_t) -userdom_dontaudit_search_user_home_dirs(uptimed_t) - -optional_policy(` - mta_send_mail(uptimed_t) -') - -optional_policy(` - seutil_sigchld_newrole(uptimed_t) -') - -optional_policy(` - udev_read_db(uptimed_t) -') diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc deleted file mode 100644 index 40b8b8d30..000000000 --- a/policy/modules/services/usbmuxd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) - -/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if deleted file mode 100644 index 53792d33c..000000000 --- a/policy/modules/services/usbmuxd.if +++ /dev/null @@ -1,39 +0,0 @@ -## USB multiplexing daemon for communicating with Apple iPod Touch and iPhone - -######################################## -## -## Execute a domain transition to run usbmuxd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`usbmuxd_domtrans',` - gen_require(` - type usbmuxd_t, usbmuxd_exec_t; - ') - - domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) -') - -##################################### -## -## Connect to usbmuxd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`usbmuxd_stream_connect',` - gen_require(` - type usbmuxd_t, usbmuxd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) -') diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te deleted file mode 100644 index 4440aa684..000000000 --- a/policy/modules/services/usbmuxd.te +++ /dev/null @@ -1,42 +0,0 @@ -policy_module(usbmuxd, 1.1.0) - -######################################## -# -# Declarations -# - -type usbmuxd_t; -type usbmuxd_exec_t; -application_domain(usbmuxd_t, usbmuxd_exec_t) -role system_r types usbmuxd_t; - -type usbmuxd_var_run_t; -files_pid_file(usbmuxd_var_run_t) - -######################################## -# -# usbmuxd local policy -# - -allow usbmuxd_t self:capability { kill setgid setuid }; -allow usbmuxd_t self:process { fork signal signull }; -allow usbmuxd_t self:fifo_file rw_fifo_file_perms; - -manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) - -kernel_read_kernel_sysctls(usbmuxd_t) -kernel_read_system_state(usbmuxd_t) - -dev_read_sysfs(usbmuxd_t) -dev_rw_generic_usb_dev(usbmuxd_t) - -files_read_etc_files(usbmuxd_t) - -miscfiles_read_localization(usbmuxd_t) - -auth_use_nsswitch(usbmuxd_t) - -logging_send_syslog_msg(usbmuxd_t) diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc deleted file mode 100644 index e1c0d8d87..000000000 --- a/policy/modules/services/uucp.fc +++ /dev/null @@ -1,11 +0,0 @@ - -/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0) - -/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0) - -/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) -/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) - -/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) - -/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if deleted file mode 100644 index ebc5414fc..000000000 --- a/policy/modules/services/uucp.if +++ /dev/null @@ -1,120 +0,0 @@ -## Unix to Unix Copy - -######################################## -## -## Execute the uucico program in the -## uucpd_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`uucp_domtrans',` - gen_require(` - type uucpd_t, uucpd_exec_t; - ') - - domtrans_pattern($1, uucpd_exec_t, uucpd_t) -') - -######################################## -## -## Allow the specified domain to append -## to uucp log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uucp_append_log',` - gen_require(` - type uucpd_log_t; - ') - - logging_search_logs($1) - allow $1 uucpd_log_t:dir list_dir_perms; - append_files_pattern($1, uucpd_log_t, uucpd_log_t) -') - -######################################## -## -## Create, read, write, and delete uucp spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`uucp_manage_spool',` - gen_require(` - type uucpd_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t) -') - -######################################## -## -## Execute the master uux program in the -## uux_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`uucp_domtrans_uux',` - gen_require(` - type uux_t, uux_exec_t; - ') - - domtrans_pattern($1, uux_exec_t, uux_t) -') - -######################################## -## -## All of the rules required to administrate -## an uucp environment -## -## -## -## Domain allowed access. -## -## -## -# -interface(`uucp_admin',` - gen_require(` - type uucpd_t, uucpd_tmp_t, uucpd_log_t; - type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; - type uucpd_var_run_t; - ') - - allow $1 uucpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, uucpd_t) - - logging_list_logs($1) - admin_pattern($1, uucpd_log_t) - - files_list_spool($1) - admin_pattern($1, uucpd_spool_t) - - admin_pattern($1, uucpd_ro_t) - - admin_pattern($1, uucpd_rw_t) - - files_list_tmp($1) - admin_pattern($1, uucpd_tmp_t) - - files_list_pids($1) - admin_pattern($1, uucpd_var_run_t) -') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te deleted file mode 100644 index d4349e90a..000000000 --- a/policy/modules/services/uucp.te +++ /dev/null @@ -1,149 +0,0 @@ -policy_module(uucp, 1.12.0) - -######################################## -# -# Declarations -# -type uucpd_t; -type uucpd_exec_t; -inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) - -type uucpd_lock_t; -files_lock_file(uucpd_lock_t) - -type uucpd_tmp_t; -files_tmp_file(uucpd_tmp_t) - -type uucpd_var_run_t; -files_pid_file(uucpd_var_run_t) - -type uucpd_rw_t; -files_type(uucpd_rw_t) - -type uucpd_ro_t; -files_type(uucpd_ro_t) - -type uucpd_spool_t; -files_type(uucpd_spool_t) - -type uucpd_log_t; -logging_log_file(uucpd_log_t) - -type uux_t; -type uux_exec_t; -application_domain(uux_t, uux_exec_t) -role system_r types uux_t; - -######################################## -# -# UUCPd Local policy -# -allow uucpd_t self:capability { setuid setgid }; -allow uucpd_t self:process signal_perms; -allow uucpd_t self:fifo_file rw_fifo_file_perms; -allow uucpd_t self:tcp_socket connected_stream_socket_perms; -allow uucpd_t self:udp_socket create_socket_perms; -allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - -allow uucpd_t uucpd_log_t:dir setattr; -manage_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t) -logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir }) - -allow uucpd_t uucpd_ro_t:dir list_dir_perms; -read_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t) -read_lnk_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t) - -manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) -manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) -manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) - -uucp_manage_spool(uucpd_t) - -manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) -manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) -files_search_locks(uucpd_t) - -manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) -manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) -files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) - -manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t) -files_pid_filetrans(uucpd_t, uucpd_var_run_t, file) - -kernel_read_kernel_sysctls(uucpd_t) -kernel_read_system_state(uucpd_t) -kernel_read_network_state(uucpd_t) - -corenet_all_recvfrom_unlabeled(uucpd_t) -corenet_all_recvfrom_netlabel(uucpd_t) -corenet_tcp_sendrecv_generic_if(uucpd_t) -corenet_udp_sendrecv_generic_if(uucpd_t) -corenet_tcp_sendrecv_generic_node(uucpd_t) -corenet_udp_sendrecv_generic_node(uucpd_t) -corenet_tcp_sendrecv_all_ports(uucpd_t) -corenet_udp_sendrecv_all_ports(uucpd_t) -corenet_tcp_connect_ssh_port(uucpd_t) - -dev_read_urand(uucpd_t) - -fs_getattr_xattr_fs(uucpd_t) - -corecmd_exec_bin(uucpd_t) -corecmd_exec_shell(uucpd_t) - -files_read_etc_files(uucpd_t) -files_search_home(uucpd_t) -files_search_spool(uucpd_t) - -term_setattr_controlling_term(uucpd_t) - -auth_use_nsswitch(uucpd_t) - -logging_send_syslog_msg(uucpd_t) - -miscfiles_read_localization(uucpd_t) - -mta_send_mail(uucpd_t) - -optional_policy(` - cron_system_entry(uucpd_t, uucpd_exec_t) -') - -optional_policy(` - kerberos_use(uucpd_t) -') - -optional_policy(` - ssh_exec(uucpd_t) -') - -######################################## -# -# UUX Local policy -# - -allow uux_t self:capability { setuid setgid }; -allow uux_t self:fifo_file write_fifo_file_perms; - -uucp_append_log(uux_t) -uucp_manage_spool(uux_t) - -corecmd_exec_bin(uux_t) - -files_read_etc_files(uux_t) - -fs_rw_anon_inodefs_files(uux_t) - -logging_send_syslog_msg(uux_t) - -miscfiles_read_localization(uux_t) - -optional_policy(` - mta_send_mail(uux_t) - mta_read_queue(uux_t) - sendmail_dontaudit_rw_unix_stream_sockets(uux_t) -') - -optional_policy(` - nscd_socket_use(uux_t) -') diff --git a/policy/modules/services/uwimap.fc b/policy/modules/services/uwimap.fc deleted file mode 100644 index 43bdef0c9..000000000 --- a/policy/modules/services/uwimap.fc +++ /dev/null @@ -1,2 +0,0 @@ - -/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if deleted file mode 100644 index 833768449..000000000 --- a/policy/modules/services/uwimap.if +++ /dev/null @@ -1,20 +0,0 @@ -## University of Washington IMAP toolkit POP3 and IMAP mail server - -######################################## -## -## Execute the UW IMAP/POP3 servers with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`uwimap_domtrans',` - gen_require(` - type imapd_t, imapd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, imapd_exec_t, imapd_t) -') diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te deleted file mode 100644 index 41fa663d1..000000000 --- a/policy/modules/services/uwimap.te +++ /dev/null @@ -1,95 +0,0 @@ -policy_module(uwimap, 1.8.0) - -######################################## -# -# Declarations -# - -type imapd_t; -type imapd_exec_t; -init_daemon_domain(imapd_t, imapd_exec_t) -inetd_tcp_service_domain(imapd_t, imapd_exec_t) - -type imapd_tmp_t; -files_tmp_file(imapd_tmp_t) - -type imapd_var_run_t; -files_pid_file(imapd_var_run_t) - -######################################## -# -# Local policy -# - -allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -dontaudit imapd_t self:capability sys_tty_config; -allow imapd_t self:process signal_perms; -allow imapd_t self:fifo_file rw_fifo_file_perms; -allow imapd_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) -manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) -files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) - -manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t) -files_pid_filetrans(imapd_t, imapd_var_run_t, file) - -kernel_read_kernel_sysctls(imapd_t) -kernel_list_proc(imapd_t) -kernel_read_proc_symlinks(imapd_t) - -corenet_all_recvfrom_unlabeled(imapd_t) -corenet_all_recvfrom_netlabel(imapd_t) -corenet_tcp_sendrecv_generic_if(imapd_t) -corenet_tcp_sendrecv_generic_node(imapd_t) -corenet_tcp_sendrecv_all_ports(imapd_t) -corenet_tcp_bind_generic_node(imapd_t) -corenet_tcp_bind_pop_port(imapd_t) -corenet_tcp_connect_all_ports(imapd_t) -corenet_sendrecv_pop_server_packets(imapd_t) -corenet_sendrecv_all_client_packets(imapd_t) - -dev_read_sysfs(imapd_t) -#urandom, for ssl -dev_read_rand(imapd_t) -dev_read_urand(imapd_t) - -domain_use_interactive_fds(imapd_t) - -#read /etc/ for hostname nsswitch.conf -files_read_etc_files(imapd_t) - -fs_getattr_all_fs(imapd_t) -fs_search_auto_mountpoints(imapd_t) - -auth_domtrans_chk_passwd(imapd_t) - -logging_send_syslog_msg(imapd_t) - -miscfiles_read_localization(imapd_t) - -sysnet_read_config(imapd_t) - -userdom_dontaudit_use_unpriv_user_fds(imapd_t) -# cjp: this is excessive, should be limited to the -# mail directories -userdom_manage_user_home_content_dirs(imapd_t) -userdom_manage_user_home_content_files(imapd_t) -userdom_manage_user_home_content_symlinks(imapd_t) -userdom_manage_user_home_content_pipes(imapd_t) -userdom_manage_user_home_content_sockets(imapd_t) -userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file }) - -mta_rw_spool(imapd_t) - -optional_policy(` - seutil_sigchld_newrole(imapd_t) -') - -optional_policy(` - tcpd_wrapped_domain(imapd_t, imapd_exec_t) -') - -optional_policy(` - udev_read_db(imapd_t) -') diff --git a/policy/modules/services/varnishd.fc b/policy/modules/services/varnishd.fc deleted file mode 100644 index 194d123ce..000000000 --- a/policy/modules/services/varnishd.fc +++ /dev/null @@ -1,18 +0,0 @@ -/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) -/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) - -/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0) - -/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0) -/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0) - -/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0) - -/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0) - -/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) - -/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) -/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) -/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if deleted file mode 100644 index 93975d6d7..000000000 --- a/policy/modules/services/varnishd.if +++ /dev/null @@ -1,216 +0,0 @@ -## Varnishd http accelerator daemon - -####################################### -## -## Execute varnishd in the varnishd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`varnishd_domtrans',` - gen_require(` - type varnishd_t, varnishd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, varnishd_exec_t, varnishd_t) -') - -####################################### -## -## Execute varnishd -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_exec',` - gen_require(` - type varnishd_exec_t; - ') - - can_exec($1, varnishd_exec_t) -') - -###################################### -## -## Read varnishd configuration file. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_read_config',` - gen_require(` - type varnishd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) -') - -##################################### -## -## Read varnish lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_read_lib_files',` - gen_require(` - type varnishd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) -') - -####################################### -## -## Read varnish logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_read_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -###################################### -## -## Append varnish logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_append_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -##################################### -## -## Manage varnish logs. -## -## -## -## Domain allowed access. -## -## -# -interface(`varnishd_manage_log',` - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) -') - -###################################### -## -## All of the rules required to administrate -## an varnishlog environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the varnishlog domain. -## -## -## -# -interface(`varnishd_admin_varnishlog',` - gen_require(` - type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; - type varnishlog_var_run_t; - ') - - allow $1 varnishlog_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishlog_t) - - init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishlog_initrc_exec_t system_r; - allow $2 system_r; - - files_list_pids($1) - admin_pattern($1, varnishlog_var_run_t) - - logging_list_logs($1) - admin_pattern($1, varnishlog_log_t) -') - -####################################### -## -## All of the rules required to administrate -## an varnishd environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the varnishd domain. -## -## -## -# -interface(`varnishd_admin',` - gen_require(` - type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; - type varnishd_var_run_t, varnishd_tmp_t; - type varnishd_initrc_exec_t; - ') - - allow $1 varnishd_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishd_t) - - init_labeled_script_domtrans($1, varnishd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_var_lib($1) - admin_pattern($1, varnishd_var_lib_t) - - files_list_etc($1) - admin_pattern($1, varnishd_etc_t) - - files_list_pids($1) - admin_pattern($1, varnishd_var_run_t) - - files_list_tmp($1) - admin_pattern($1, varnishd_tmp_t) -') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te deleted file mode 100644 index f9310f3a4..000000000 --- a/policy/modules/services/varnishd.te +++ /dev/null @@ -1,118 +0,0 @@ -policy_module(varnishd, 1.2.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow varnishd to connect to all ports, -## not just HTTP. -##

-## -gen_tunable(varnishd_connect_any, false) - -type varnishd_t; -type varnishd_exec_t; -init_daemon_domain(varnishd_t, varnishd_exec_t) - -type varnishd_initrc_exec_t; -init_script_file(varnishd_initrc_exec_t) - -type varnishd_etc_t; -files_type(varnishd_etc_t) - -type varnishd_tmp_t; -files_tmp_file(varnishd_tmp_t) - -type varnishd_var_lib_t; -files_type(varnishd_var_lib_t) - -type varnishd_var_run_t; -files_pid_file(varnishd_var_run_t) - -type varnishlog_t; -type varnishlog_exec_t; -init_daemon_domain(varnishlog_t, varnishlog_exec_t) - -type varnishlog_initrc_exec_t; -init_script_file(varnishlog_initrc_exec_t) - -type varnishlog_var_run_t; -files_pid_file(varnishlog_var_run_t) - -type varnishlog_log_t; -files_type(varnishlog_log_t) - -######################################## -# -# varnishd local policy -# - -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; -allow varnishd_t self:fifo_file rw_fifo_file_perms; -allow varnishd_t self:tcp_socket create_stream_socket_perms; -allow varnishd_t self:udp_socket create_socket_perms; - -read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) -list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) - -manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) -manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t) -files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir }) - -exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) -files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) - -manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) -files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) - -kernel_read_system_state(varnishd_t) - -corecmd_exec_bin(varnishd_t) -corecmd_exec_shell(varnishd_t) - -corenet_tcp_sendrecv_generic_if(varnishd_t) -corenet_tcp_bind_generic_node(varnishd_t) -corenet_tcp_bind_http_port(varnishd_t) -corenet_tcp_bind_http_cache_port(varnishd_t) -corenet_tcp_bind_varnishd_port(varnishd_t) -corenet_tcp_connect_http_cache_port(varnishd_t) -corenet_tcp_connect_http_port(varnishd_t) - -dev_read_urand(varnishd_t) - -fs_getattr_all_fs(varnishd_t) - -auth_use_nsswitch(varnishd_t) - -logging_send_syslog_msg(varnishd_t) - -miscfiles_read_localization(varnishd_t) - -sysnet_read_config(varnishd_t) - -tunable_policy(`varnishd_connect_any',` - corenet_tcp_connect_all_ports(varnishd_t) - corenet_tcp_bind_all_ports(varnishd_t) -') - -####################################### -# -# varnishlog local policy -# - -manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) -files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) - -manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) -logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir }) - -files_search_var_lib(varnishlog_t) -read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t) diff --git a/policy/modules/services/vhostmd.fc b/policy/modules/services/vhostmd.fc deleted file mode 100644 index c1fb32921..000000000 --- a/policy/modules/services/vhostmd.fc +++ /dev/null @@ -1,5 +0,0 @@ -/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) - -/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) - -/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if deleted file mode 100644 index 1f872b5ed..000000000 --- a/policy/modules/services/vhostmd.if +++ /dev/null @@ -1,224 +0,0 @@ -## Virtual host metrics daemon - -######################################## -## -## Execute a domain transition to run vhostmd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vhostmd_domtrans',` - gen_require(` - type vhostmd_t, vhostmd_exec_t; - ') - - domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) -') - -######################################## -## -## Execute vhostmd server in the vhostmd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vhostmd_initrc_domtrans',` - gen_require(` - type vhostmd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) -') - -######################################## -## -## Allow domain to read, vhostmd tmpfs files -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_read_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - allow $1 vhostmd_tmpfs_t:file read_file_perms; - files_search_tmp($1) -') - -######################################## -## -## Do not audit attempts to read, -## vhostmd tmpfs files -## -## -## -## Domain to not audit. -## -## -# -interface(`vhostmd_dontaudit_read_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; -') - -####################################### -## -## Allow domain to read and write vhostmd tmpfs files -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_rw_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - files_search_tmp($1) -') - -######################################## -## -## Create, read, write, and delete vhostmd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_manage_tmpfs_files',` - gen_require(` - type vhostmd_tmpfs_t; - ') - - manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - files_search_tmp($1) -') - -######################################## -## -## Read vhostmd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_read_pid_files',` - gen_require(` - type vhostmd_var_run_t; - ') - - files_search_pids($1) - allow $1 vhostmd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage vhostmd var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_manage_pid_files',` - gen_require(` - type vhostmd_var_run_t; - ') - - manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) -') - -######################################## -## -## Connect to vhostmd over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`vhostmd_stream_connect',` - gen_require(` - type vhostmd_t, vhostmd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) -') - -####################################### -## -## Dontaudit read and write to vhostmd -## over an unix domain stream socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`vhostmd_dontaudit_rw_stream_connect',` - gen_require(` - type vhostmd_t; - ') - - dontaudit $1 vhostmd_t:unix_stream_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## an vhostmd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`vhostmd_admin',` - gen_require(` - type vhostmd_t, vhostmd_initrc_exec_t; - ') - - allow $1 vhostmd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, vhostmd_t) - - vhostmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 vhostmd_initrc_exec_t system_r; - allow $2 system_r; - - vhostmd_manage_tmpfs_files($1) - - vhostmd_manage_pid_files($1) - -') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te deleted file mode 100644 index 32a3c1350..000000000 --- a/policy/modules/services/vhostmd.te +++ /dev/null @@ -1,76 +0,0 @@ -policy_module(vhostmd, 1.0.0) - -######################################## -# -# Declarations -# - -type vhostmd_t; -type vhostmd_exec_t; -init_daemon_domain(vhostmd_t, vhostmd_exec_t) - -type vhostmd_initrc_exec_t; -init_script_file(vhostmd_initrc_exec_t) - -type vhostmd_tmpfs_t; -files_tmpfs_file(vhostmd_tmpfs_t) - -type vhostmd_var_run_t; -files_pid_file(vhostmd_var_run_t) - -######################################## -# -# vhostmd local policy -# - -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; -allow vhostmd_t self:process { setsched getsched }; -allow vhostmd_t self:fifo_file rw_file_perms; - -manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) - -manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) - -kernel_read_system_state(vhostmd_t) -kernel_read_network_state(vhostmd_t) -kernel_write_xen_state(vhostmd_t) - -corecmd_exec_bin(vhostmd_t) -corecmd_exec_shell(vhostmd_t) - -corenet_tcp_connect_soundd_port(vhostmd_t) - -files_read_etc_files(vhostmd_t) -files_read_usr_files(vhostmd_t) - -dev_read_sysfs(vhostmd_t) - -auth_use_nsswitch(vhostmd_t) - -logging_send_syslog_msg(vhostmd_t) - -miscfiles_read_localization(vhostmd_t) - -optional_policy(` - hostname_exec(vhostmd_t) -') - -optional_policy(` - rpm_exec(vhostmd_t) - rpm_read_db(vhostmd_t) -') - -optional_policy(` - virt_stream_connect(vhostmd_t) -') - -optional_policy(` - xen_domtrans_xm(vhostmd_t) - xen_stream_connect(vhostmd_t) - xen_stream_connect_xenstore(vhostmd_t) - xen_stream_connect_xm(vhostmd_t) -') diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc deleted file mode 100644 index 2124b6add..000000000 --- a/policy/modules/services/virt.fc +++ /dev/null @@ -1,29 +0,0 @@ -HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) - -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) -/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - -/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) - -/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) - -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) - -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if deleted file mode 100644 index 7c5d8d82b..000000000 --- a/policy/modules/services/virt.if +++ /dev/null @@ -1,518 +0,0 @@ -## Libvirt virtualization API - -######################################## -## -## Creates types and rules for a basic -## qemu process domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`virt_domain_template',` - gen_require(` - type virtd_t; - attribute virt_image_type; - attribute virt_domain; - ') - - type $1_t, virt_domain; - domain_type($1_t) - domain_user_exemption_target($1_t) - role system_r types $1_t; - - type $1_devpts_t; - term_pty($1_devpts_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - type $1_tmpfs_t; - files_tmpfs_file($1_tmpfs_t) - - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) - - type $1_var_run_t; - files_pid_file($1_var_run_t) - - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty($1_t, $1_devpts_t) - - manage_dirs_pattern($1_t, $1_image_t, $1_image_t) - manage_files_pattern($1_t, $1_image_t, $1_image_t) - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - - stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) - manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { dir file }) - stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) - - optional_policy(` - xserver_rw_shm($1_t) - ') -') - -######################################## -## -## Make the specified type usable as a virt image -## -## -## -## Type to be used as a virtual image -## -## -# -interface(`virt_image',` - gen_require(` - attribute virt_image_type; - ') - - typeattribute $1 virt_image_type; - files_type($1) - - # virt images can be assigned to blk devices - dev_node($1) -') - -######################################## -## -## Execute a domain transition to run virt. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`virt_domtrans',` - gen_require(` - type virtd_t, virtd_exec_t; - ') - - domtrans_pattern($1, virtd_exec_t, virtd_t) -') - -####################################### -## -## Connect to virt over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_stream_connect',` - gen_require(` - type virtd_t, virt_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) -') - -######################################## -## -## Allow domain to attach to virt TUN devices -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_attach_tun_iface',` - gen_require(` - type virtd_t; - ') - - allow $1 virtd_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## -## Read virt config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_config',` - gen_require(` - type virt_etc_t; - type virt_etc_rw_t; - ') - - files_search_etc($1) - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## -## manage virt config files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_config',` - gen_require(` - type virt_etc_t; - type virt_etc_rw_t; - ') - - files_search_etc($1) - manage_files_pattern($1, virt_etc_t, virt_etc_t) - manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## -## Allow domain to manage virt image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_content',` - gen_require(` - type virt_content_t; - ') - - virt_search_lib($1) - allow $1 virt_content_t:dir list_dir_perms; - list_dirs_pattern($1, virt_content_t, virt_content_t) - read_files_pattern($1, virt_content_t, virt_content_t) - read_lnk_files_pattern($1, virt_content_t, virt_content_t) - read_blk_files_pattern($1, virt_content_t, virt_content_t) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## -## Read virt PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## -## Manage virt pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## -## Search virt lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_search_lib',` - gen_require(` - type virt_var_lib_t; - ') - - allow $1 virt_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read virt lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## virt lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## -## Allow the specified domain to read virt's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`virt_read_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## -## Allow the specified domain to append -## virt log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_append_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## -## Allow domain to manage virt log files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_log',` - gen_require(` - type virt_log_t; - ') - - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## -## Allow domain to read virt image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## -## Create, read, write, and delete -## svirt cache files. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_svirt_cache',` - gen_require(` - type svirt_cache_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) - manage_files_pattern($1, svirt_cache_t, svirt_cache_t) - manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) -') - -######################################## -## -## Allow domain to manage virt image files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_manage_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## -## All of the rules required to administrate -## an virt environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`virt_admin',` - gen_require(` - type virtd_t, virtd_initrc_exec_t; - ') - - allow $1 virtd_t:process { ptrace signal_perms }; - ps_process_pattern($1, virtd_t) - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; - allow $2 system_r; - - virt_manage_pid_files($1) - - virt_manage_lib_files($1) - - virt_manage_log($1) -') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te deleted file mode 100644 index 3eca0207c..000000000 --- a/policy/modules/services/virt.te +++ /dev/null @@ -1,464 +0,0 @@ -policy_module(virt, 1.4.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow virt to use serial/parallell communication ports -##

-## -gen_tunable(virt_use_comm, false) - -## -##

-## Allow virt to read fuse files -##

-## -gen_tunable(virt_use_fusefs, false) - -## -##

-## Allow virt to manage nfs files -##

-## -gen_tunable(virt_use_nfs, false) - -## -##

-## Allow virt to manage cifs files -##

-## -gen_tunable(virt_use_samba, false) - -## -##

-## Allow virt to manage device configuration, (pci) -##

-## -gen_tunable(virt_use_sysfs, false) - -## -##

-## Allow virt to use usb devices -##

-## -gen_tunable(virt_use_usb, true) - -virt_domain_template(svirt) -role system_r types svirt_t; - -type svirt_cache_t; -files_type(svirt_cache_t) - -attribute virt_domain; -attribute virt_image_type; - -type virt_etc_t; -files_config_file(virt_etc_t) - -type virt_etc_rw_t; -files_type(virt_etc_rw_t) - -# virt Image files -type virt_image_t; # customizable -virt_image(virt_image_t) - -# virt Image files -type virt_content_t; # customizable -virt_image(virt_content_t) -userdom_user_home_content(virt_content_t) - -type virt_log_t; -logging_log_file(virt_log_t) - -type virt_var_run_t; -files_pid_file(virt_var_run_t) - -type virt_var_lib_t; -files_type(virt_var_lib_t) - -type virtd_t; -type virtd_exec_t; -init_daemon_domain(virtd_t, virtd_exec_t) -domain_obj_id_change_exemption(virtd_t) -domain_subj_id_change_exemption(virtd_t) - -type virtd_initrc_exec_t; -init_script_file(virtd_initrc_exec_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) -') - -ifdef(`enable_mls',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) -') - -######################################## -# -# svirt local policy -# - -allow svirt_t self:udp_socket create_socket_perms; - -manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) - -read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) - -allow svirt_t svirt_image_t:dir search_dir_perms; -manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) -manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) - -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -read_files_pattern(svirt_t, virt_content_t, virt_content_t) -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir write; - -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) - -dev_list_sysfs(svirt_t) - -userdom_search_user_home_content(svirt_t) -userdom_read_user_home_content_symlinks(svirt_t) -userdom_read_all_users_state(svirt_t) - -tunable_policy(`virt_use_comm',` - term_use_unallocated_ttys(svirt_t) - dev_rw_printer(svirt_t) -') - -tunable_policy(`virt_use_fusefs',` - fs_read_fusefs_files(svirt_t) - fs_read_fusefs_symlinks(svirt_t) -') - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(svirt_t) - fs_manage_nfs_files(svirt_t) -') - -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(svirt_t) - fs_manage_cifs_files(svirt_t) -') - -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(svirt_t) -') - -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(svirt_t) - fs_manage_dos_dirs(svirt_t) - fs_manage_dos_files(svirt_t) -') - -optional_policy(` - xen_rw_image_files(svirt_t) -') - -######################################## -# -# virtd local policy -# - -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; - -allow virtd_t self:fifo_file rw_fifo_file_perms; -allow virtd_t self:unix_stream_socket create_stream_socket_perms; -allow virtd_t self:tcp_socket create_stream_socket_perms; -allow virtd_t self:tun_socket create_socket_perms; -allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; - -manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) -manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) - -manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) -manage_files_pattern(virtd_t, virt_content_t, virt_content_t) - -allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; - -read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) - -manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) - -manage_files_pattern(virtd_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) -allow virtd_t virt_image_type:file { relabelfrom relabelto }; -allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; - -manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) -manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -logging_log_filetrans(virtd_t, virt_log_t, { file dir }) - -manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) - -manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) - -kernel_read_system_state(virtd_t) -kernel_read_network_state(virtd_t) -kernel_rw_net_sysctls(virtd_t) -kernel_request_load_module(virtd_t) -kernel_search_debugfs(virtd_t) - -corecmd_exec_bin(virtd_t) -corecmd_exec_shell(virtd_t) - -corenet_all_recvfrom_unlabeled(virtd_t) -corenet_all_recvfrom_netlabel(virtd_t) -corenet_tcp_sendrecv_generic_if(virtd_t) -corenet_tcp_sendrecv_generic_node(virtd_t) -corenet_tcp_sendrecv_all_ports(virtd_t) -corenet_tcp_bind_generic_node(virtd_t) -corenet_tcp_bind_virt_port(virtd_t) -corenet_tcp_bind_vnc_port(virtd_t) -corenet_tcp_connect_vnc_port(virtd_t) -corenet_tcp_connect_soundd_port(virtd_t) -corenet_rw_tun_tap_dev(virtd_t) - -dev_rw_sysfs(virtd_t) -dev_read_rand(virtd_t) -dev_rw_kvm(virtd_t) -dev_getattr_all_chr_files(virtd_t) -dev_rw_mtrr(virtd_t) - -# Init script handling -domain_use_interactive_fds(virtd_t) -domain_read_all_domains_state(virtd_t) - -files_read_usr_files(virtd_t) -files_read_etc_files(virtd_t) -files_read_etc_runtime_files(virtd_t) -files_search_all(virtd_t) -files_read_kernel_modules(virtd_t) -files_read_usr_src_files(virtd_t) -files_manage_etc_files(virtd_t) - -fs_list_auto_mountpoints(virtd_t) -fs_getattr_xattr_fs(virtd_t) -fs_rw_anon_inodefs_files(virtd_t) -fs_list_inotifyfs(virtd_t) -fs_manage_cgroup_dirs(virtd_t) -fs_rw_cgroup_files(virtd_t) - -mcs_process_set_categories(virtd_t) - -storage_manage_fixed_disk(virtd_t) -storage_relabel_fixed_disk(virtd_t) -storage_raw_write_removable_device(virtd_t) -storage_raw_read_removable_device(virtd_t) - -term_getattr_pty_fs(virtd_t) -term_use_generic_ptys(virtd_t) -term_use_ptmx(virtd_t) - -auth_use_nsswitch(virtd_t) - -miscfiles_read_localization(virtd_t) -miscfiles_read_generic_certs(virtd_t) -miscfiles_read_hwdata(virtd_t) - -modutils_read_module_deps(virtd_t) -modutils_read_module_config(virtd_t) -modutils_manage_module_config(virtd_t) - -logging_send_syslog_msg(virtd_t) - -seutil_read_default_contexts(virtd_t) - -sysnet_domtrans_ifconfig(virtd_t) -sysnet_read_config(virtd_t) - -userdom_getattr_all_users(virtd_t) -userdom_list_user_home_content(virtd_t) -userdom_read_all_users_state(virtd_t) -userdom_read_user_home_content_files(virtd_t) - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virtd_t) - fs_manage_nfs_files(virtd_t) - fs_read_nfs_symlinks(virtd_t) -') - -tunable_policy(`virt_use_samba',` - fs_manage_nfs_files(virtd_t) - fs_manage_cifs_files(virtd_t) - fs_read_cifs_symlinks(virtd_t) -') - -optional_policy(` - brctl_domtrans(virtd_t) -') - -optional_policy(` - dbus_system_bus_client(virtd_t) - - optional_policy(` - avahi_dbus_chat(virtd_t) - ') - - optional_policy(` - consolekit_dbus_chat(virtd_t) - ') - - optional_policy(` - hal_dbus_chat(virtd_t) - ') -') - -optional_policy(` - dnsmasq_domtrans(virtd_t) - dnsmasq_signal(virtd_t) - dnsmasq_kill(virtd_t) - dnsmasq_read_pid_files(virtd_t) - dnsmasq_signull(virtd_t) -') - -optional_policy(` - iptables_domtrans(virtd_t) - iptables_initrc_domtrans(virtd_t) - - # Manages /etc/sysconfig/system-config-firewall - iptables_manage_config(virtd_t) -') - -optional_policy(` - kerberos_keytab_template(virtd, virtd_t) -') - -optional_policy(` - lvm_domtrans(virtd_t) -') - -optional_policy(` - policykit_dbus_chat(virtd_t) - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) - policykit_read_lib(virtd_t) -') - -optional_policy(` - qemu_domtrans(virtd_t) - qemu_read_state(virtd_t) - qemu_signal(virtd_t) - qemu_kill(virtd_t) - qemu_setsched(virtd_t) -') - -optional_policy(` - sasl_connect(virtd_t) -') - -optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) - - xen_stream_connect(virtd_t) - xen_stream_connect_xenstore(virtd_t) - xen_read_image_files(virtd_t) -') - -optional_policy(` - udev_domtrans(virtd_t) - udev_read_db(virtd_t) -') - -optional_policy(` - unconfined_domain(virtd_t) -') - -######################################## -# -# virtual domains common policy -# - -allow virt_domain self:capability { dac_read_search dac_override kill }; -allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_file_perms; -allow virt_domain self:shm create_shm_perms; -allow virt_domain self:unix_stream_socket create_stream_socket_perms; -allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; -allow virt_domain self:tcp_socket create_stream_socket_perms; - -append_files_pattern(virt_domain, virt_log_t, virt_log_t) - -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - -kernel_read_system_state(virt_domain) - -corecmd_exec_bin(virt_domain) -corecmd_exec_shell(virt_domain) - -corenet_all_recvfrom_unlabeled(virt_domain) -corenet_all_recvfrom_netlabel(virt_domain) -corenet_tcp_sendrecv_generic_if(virt_domain) -corenet_tcp_sendrecv_generic_node(virt_domain) -corenet_tcp_sendrecv_all_ports(virt_domain) -corenet_tcp_bind_generic_node(virt_domain) -corenet_tcp_bind_vnc_port(virt_domain) -corenet_rw_tun_tap_dev(virt_domain) -corenet_tcp_bind_virt_migration_port(virt_domain) -corenet_tcp_connect_virt_migration_port(virt_domain) - -dev_read_rand(virt_domain) -dev_read_sound(virt_domain) -dev_read_urand(virt_domain) -dev_write_sound(virt_domain) -dev_rw_ksm(virt_domain) -dev_rw_kvm(virt_domain) -dev_rw_qemu(virt_domain) - -domain_use_interactive_fds(virt_domain) - -files_read_etc_files(virt_domain) -files_read_usr_files(virt_domain) -files_read_var_files(virt_domain) -files_search_all(virt_domain) - -fs_getattr_tmpfs(virt_domain) -fs_rw_anon_inodefs_files(virt_domain) -fs_rw_tmpfs_files(virt_domain) - -term_use_all_terms(virt_domain) -term_getattr_pty_fs(virt_domain) -term_use_generic_ptys(virt_domain) -term_use_ptmx(virt_domain) - -auth_use_nsswitch(virt_domain) - -logging_send_syslog_msg(virt_domain) - -miscfiles_read_localization(virt_domain) - -optional_policy(` - ptchown_domtrans(virt_domain) -') - -optional_policy(` - virt_read_config(virt_domain) - virt_read_lib_files(virt_domain) - virt_read_content(virt_domain) - virt_stream_connect(virt_domain) -') diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc deleted file mode 100644 index 11533ccc4..000000000 --- a/policy/modules/services/vnstatd.fc +++ /dev/null @@ -1,7 +0,0 @@ -/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) - -/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) - -/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) - -/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0) diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if deleted file mode 100644 index 727fe9531..000000000 --- a/policy/modules/services/vnstatd.if +++ /dev/null @@ -1,143 +0,0 @@ -## Console network traffic monitor. - -######################################## -## -## Execute a domain transition to run vnstat. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vnstatd_domtrans_vnstat',` - gen_require(` - type vnstat_t, vnstat_exec_t; - ') - - domtrans_pattern($1, vnstat_exec_t, vnstat_t) -') - -######################################## -## -## Execute a domain transition to run vnstatd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vnstatd_domtrans',` - gen_require(` - type vnstatd_t, vnstatd_exec_t; - ') - - domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) -') - -######################################## -## -## Search vnstatd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_search_lib',` - gen_require(` - type vnstatd_var_lib_t; - ') - - allow $1 vnstatd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Manage vnstatd lib dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_manage_lib_dirs',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## -## Read vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_read_lib_files',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_manage_lib_files',` - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## -## All of the rules required to administrate -## an vnstatd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`vnstatd_admin',` - gen_require(` - type vnstatd_t, vnstatd_var_lib_t; - ') - - allow $1 vnstatd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vnstatd_t) - - files_list_var_lib($1) - admin_pattern($1, vnstatd_var_lib_t) -') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te deleted file mode 100644 index 8121937aa..000000000 --- a/policy/modules/services/vnstatd.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(vnstatd, 1.0.0) - -######################################## -# -# Declarations -# - -type vnstat_t; -type vnstat_exec_t; -application_domain(vnstat_t, vnstat_exec_t) - -type vnstatd_t; -type vnstatd_exec_t; -init_daemon_domain(vnstatd_t, vnstatd_exec_t) - -type vnstatd_var_lib_t; -files_type(vnstatd_var_lib_t) - -type vnstatd_var_run_t; -files_pid_file(vnstatd_var_run_t) - -######################################## -# -# vnstatd local policy -# - -allow vnstatd_t self:process signal; -allow vnstatd_t self:fifo_file rw_fifo_file_perms; -allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) - -manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) - -kernel_read_network_state(vnstatd_t) -kernel_read_system_state(vnstatd_t) - -domain_use_interactive_fds(vnstatd_t) - -files_read_etc_files(vnstatd_t) - -fs_getattr_xattr_fs(vnstatd_t) - -logging_send_syslog_msg(vnstatd_t) - -miscfiles_read_localization(vnstatd_t) - -optional_policy(` - cron_system_entry(vnstat_t, vnstat_exec_t) -') - -######################################## -# -# vnstat local policy -# - -allow vnstat_t self:process signal; -allow vnstat_t self:fifo_file rw_fifo_file_perms; -allow vnstat_t self:unix_stream_socket create_stream_socket_perms; - -manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) - -kernel_read_network_state(vnstat_t) -kernel_read_system_state(vnstat_t) - -domain_use_interactive_fds(vnstat_t) - -files_read_etc_files(vnstat_t) - -fs_getattr_xattr_fs(vnstat_t) - -logging_send_syslog_msg(vnstat_t) - -miscfiles_read_localization(vnstat_t) diff --git a/policy/modules/services/w3c.fc b/policy/modules/services/w3c.fc deleted file mode 100644 index a9cc9a852..000000000 --- a/policy/modules/services/w3c.fc +++ /dev/null @@ -1,4 +0,0 @@ -/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) - -/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) -/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --git a/policy/modules/services/w3c.if b/policy/modules/services/w3c.if deleted file mode 100644 index 8f678a9f3..000000000 --- a/policy/modules/services/w3c.if +++ /dev/null @@ -1 +0,0 @@ -## W3C Markup Validator diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te deleted file mode 100644 index 1174ad843..000000000 --- a/policy/modules/services/w3c.te +++ /dev/null @@ -1,24 +0,0 @@ -policy_module(w3c, 1.0.0) - -######################################## -# -# Declarations -# - -apache_content_template(w3c_validator) - -######################################## -# -# Local policy -# - -corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) - -miscfiles_read_generic_certs(httpd_w3c_validator_script_t) - -sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff --git a/policy/modules/services/watchdog.fc b/policy/modules/services/watchdog.fc deleted file mode 100644 index 7551c51b4..000000000 --- a/policy/modules/services/watchdog.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) - -/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0) - -/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/policy/modules/services/watchdog.if b/policy/modules/services/watchdog.if deleted file mode 100644 index f8acf10a3..000000000 --- a/policy/modules/services/watchdog.if +++ /dev/null @@ -1 +0,0 @@ -## Software watchdog diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te deleted file mode 100644 index b10bb0537..000000000 --- a/policy/modules/services/watchdog.te +++ /dev/null @@ -1,105 +0,0 @@ -policy_module(watchdog, 1.7.0) - -################################# -# -# Rules for the watchdog_t domain. -# - -type watchdog_t; -type watchdog_exec_t; -init_daemon_domain(watchdog_t, watchdog_exec_t) - -type watchdog_log_t; -logging_log_file(watchdog_log_t) - -type watchdog_var_run_t; -files_pid_file(watchdog_var_run_t) - -######################################## -# -# Declarations -# - -allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; -dontaudit watchdog_t self:capability sys_tty_config; -allow watchdog_t self:process { setsched signal_perms }; -allow watchdog_t self:fifo_file rw_fifo_file_perms; -allow watchdog_t self:unix_stream_socket create_socket_perms; -allow watchdog_t self:tcp_socket create_stream_socket_perms; -allow watchdog_t self:udp_socket create_socket_perms; - -allow watchdog_t watchdog_log_t:file manage_file_perms; -logging_log_filetrans(watchdog_t, watchdog_log_t, file) - -manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) -files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) - -kernel_read_system_state(watchdog_t) -kernel_read_kernel_sysctls(watchdog_t) -kernel_unmount_proc(watchdog_t) - -# for orderly shutdown -corecmd_exec_shell(watchdog_t) - -# cjp: why networking? -corenet_all_recvfrom_unlabeled(watchdog_t) -corenet_all_recvfrom_netlabel(watchdog_t) -corenet_tcp_sendrecv_generic_if(watchdog_t) -corenet_udp_sendrecv_generic_if(watchdog_t) -corenet_tcp_sendrecv_generic_node(watchdog_t) -corenet_udp_sendrecv_generic_node(watchdog_t) -corenet_tcp_sendrecv_all_ports(watchdog_t) -corenet_udp_sendrecv_all_ports(watchdog_t) -corenet_tcp_connect_all_ports(watchdog_t) -corenet_sendrecv_all_client_packets(watchdog_t) - -dev_read_sysfs(watchdog_t) -dev_write_watchdog(watchdog_t) -# do not care about saving the random seed -dev_dontaudit_read_rand(watchdog_t) -dev_dontaudit_read_urand(watchdog_t) - -domain_use_interactive_fds(watchdog_t) -domain_getsession_all_domains(watchdog_t) -domain_sigchld_all_domains(watchdog_t) -domain_sigstop_all_domains(watchdog_t) -domain_signull_all_domains(watchdog_t) -domain_signal_all_domains(watchdog_t) -domain_kill_all_domains(watchdog_t) - -files_read_etc_files(watchdog_t) -# for updating mtab on umount -files_manage_etc_runtime_files(watchdog_t) -files_etc_filetrans_etc_runtime(watchdog_t, file) - -fs_unmount_xattr_fs(watchdog_t) -fs_getattr_all_fs(watchdog_t) -fs_search_auto_mountpoints(watchdog_t) - -# record the fact that we are going down -auth_append_login_records(watchdog_t) - -logging_send_syslog_msg(watchdog_t) - -miscfiles_read_localization(watchdog_t) - -sysnet_read_config(watchdog_t) - -userdom_dontaudit_use_unpriv_user_fds(watchdog_t) -userdom_dontaudit_search_user_home_dirs(watchdog_t) - -optional_policy(` - mta_send_mail(watchdog_t) -') - -optional_policy(` - nis_use_ypbind(watchdog_t) -') - -optional_policy(` - seutil_sigchld_newrole(watchdog_t) -') - -optional_policy(` - udev_read_db(watchdog_t) -') diff --git a/policy/modules/services/xfs.fc b/policy/modules/services/xfs.fc deleted file mode 100644 index 8e70038b2..000000000 --- a/policy/modules/services/xfs.fc +++ /dev/null @@ -1,8 +0,0 @@ - -/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) - -/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) -/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) - -/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) -/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if deleted file mode 100644 index aa6e5a8d8..000000000 --- a/policy/modules/services/xfs.if +++ /dev/null @@ -1,59 +0,0 @@ -## X Windows Font Server - -######################################## -## -## Read a X font server named socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xfs_read_sockets',` - gen_require(` - type xfs_tmp_t; - ') - - files_search_tmp($1) - read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t) -') - -######################################## -## -## Connect to a X font server over -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xfs_stream_connect',` - gen_require(` - type xfs_tmp_t, xfs_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t) -') - -######################################## -## -## Allow the specified domain to execute xfs -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`xfs_exec',` - gen_require(` - type xfs_exec_t; - ') - - can_exec($1, xfs_exec_t) -') diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te deleted file mode 100644 index 11c1b12bf..000000000 --- a/policy/modules/services/xfs.te +++ /dev/null @@ -1,87 +0,0 @@ -policy_module(xfs, 1.6.0) - -######################################## -# -# Declarations -# - -type xfs_t; -type xfs_exec_t; -init_daemon_domain(xfs_t, xfs_exec_t) - -type xfs_tmp_t; -files_tmp_file(xfs_tmp_t) - -type xfs_var_run_t; -files_pid_file(xfs_var_run_t) - -######################################## -# -# Local policy -# - -allow xfs_t self:capability { dac_override setgid setuid }; -dontaudit xfs_t self:capability sys_tty_config; -allow xfs_t self:process { signal_perms setpgid }; -allow xfs_t self:unix_stream_socket create_stream_socket_perms; -allow xfs_t self:unix_dgram_socket create_socket_perms; -allow xfs_t self:tcp_socket create_stream_socket_perms; - -manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) -manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) -files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) - -manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) -files_pid_filetrans(xfs_t, xfs_var_run_t, file) - -kernel_read_kernel_sysctls(xfs_t) -kernel_read_system_state(xfs_t) - -corenet_all_recvfrom_unlabeled(xfs_t) -corenet_all_recvfrom_netlabel(xfs_t) -corenet_tcp_sendrecv_generic_if(xfs_t) -corenet_tcp_sendrecv_generic_node(xfs_t) -corenet_tcp_sendrecv_all_ports(xfs_t) -corenet_tcp_bind_generic_node(xfs_t) -corenet_tcp_bind_xfs_port(xfs_t) -corenet_sendrecv_xfs_server_packets(xfs_t) - -corecmd_list_bin(xfs_t) - -dev_read_sysfs(xfs_t) -dev_read_urand(xfs_t) -dev_read_rand(xfs_t) - -fs_getattr_all_fs(xfs_t) -fs_search_auto_mountpoints(xfs_t) - -domain_use_interactive_fds(xfs_t) - -files_read_etc_files(xfs_t) -files_read_etc_runtime_files(xfs_t) -files_read_usr_files(xfs_t) - -auth_use_nsswitch(xfs_t) - -logging_send_syslog_msg(xfs_t) - -miscfiles_read_localization(xfs_t) -miscfiles_read_fonts(xfs_t) - -userdom_dontaudit_use_unpriv_user_fds(xfs_t) -userdom_dontaudit_search_user_home_dirs(xfs_t) - -xfs_exec(xfs_t) - -ifdef(`distro_debian',` - # for /tmp/.font-unix/fs7100 - init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file) -') - -optional_policy(` - seutil_sigchld_newrole(xfs_t) -') - -optional_policy(` - udev_read_db(xfs_t) -') diff --git a/policy/modules/services/xprint.fc b/policy/modules/services/xprint.fc deleted file mode 100644 index 6a857fff0..000000000 --- a/policy/modules/services/xprint.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0) diff --git a/policy/modules/services/xprint.if b/policy/modules/services/xprint.if deleted file mode 100644 index e69a82af8..000000000 --- a/policy/modules/services/xprint.if +++ /dev/null @@ -1 +0,0 @@ -## X print server diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te deleted file mode 100644 index 68d13e591..000000000 --- a/policy/modules/services/xprint.te +++ /dev/null @@ -1,82 +0,0 @@ -policy_module(xprint, 1.7.0) - -######################################## -# -# Declarations -# - -type xprint_t; -type xprint_exec_t; -init_daemon_domain(xprint_t, xprint_exec_t) - -type xprint_var_run_t; -files_pid_file(xprint_var_run_t) - -######################################## -# -# Local policy -# - -dontaudit xprint_t self:capability sys_tty_config; -allow xprint_t self:process signal_perms; -allow xprint_t self:fifo_file rw_file_perms; -allow xprint_t self:tcp_socket create_stream_socket_perms; -allow xprint_t self:udp_socket create_socket_perms; - -manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t) -files_pid_filetrans(xprint_t, xprint_var_run_t, file) - -kernel_read_system_state(xprint_t) -kernel_read_kernel_sysctls(xprint_t) - -corecmd_exec_bin(xprint_t) -corecmd_exec_shell(xprint_t) - -corenet_all_recvfrom_unlabeled(xprint_t) -corenet_all_recvfrom_netlabel(xprint_t) -corenet_tcp_sendrecv_generic_if(xprint_t) -corenet_udp_sendrecv_generic_if(xprint_t) -corenet_tcp_sendrecv_generic_node(xprint_t) -corenet_udp_sendrecv_generic_node(xprint_t) -corenet_tcp_sendrecv_all_ports(xprint_t) -corenet_udp_sendrecv_all_ports(xprint_t) - -dev_read_sysfs(xprint_t) -dev_read_urand(xprint_t) - -domain_use_interactive_fds(xprint_t) - -files_read_etc_files(xprint_t) -files_read_etc_runtime_files(xprint_t) -files_read_usr_files(xprint_t) -files_search_var_lib(xprint_t) -files_search_tmp(xprint_t) - -fs_getattr_all_fs(xprint_t) -fs_search_auto_mountpoints(xprint_t) - -logging_send_syslog_msg(xprint_t) - -miscfiles_read_fonts(xprint_t) -miscfiles_read_localization(xprint_t) - -sysnet_read_config(xprint_t) - -userdom_dontaudit_use_unpriv_user_fds(xprint_t) -userdom_dontaudit_search_user_home_dirs(xprint_t) - -optional_policy(` - cups_read_config(xprint_t) -') - -optional_policy(` - nis_use_ypbind(xprint_t) -') - -optional_policy(` - seutil_sigchld_newrole(xprint_t) -') - -optional_policy(` - udev_read_db(xprint_t) -') diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc deleted file mode 100644 index aa5a5211a..000000000 --- a/policy/modules/services/zabbix.fc +++ /dev/null @@ -1,9 +0,0 @@ -/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) -/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) - -/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) -/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) - -/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) - -/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if deleted file mode 100644 index c9981d184..000000000 --- a/policy/modules/services/zabbix.if +++ /dev/null @@ -1,158 +0,0 @@ -## Distributed infrastructure monitoring - -######################################## -## -## Execute a domain transition to run zabbix. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zabbix_domtrans',` - gen_require(` - type zabbix_t, zabbix_exec_t; - ') - - domtrans_pattern($1, zabbix_exec_t, zabbix_t) -') - -######################################## -## -## Allow connectivity to the zabbix server -## -## -## -## Domain allowed access. -## -## -# -interface(`zabbix_tcp_connect',` - gen_require(` - type zabbix_t; - ') - - corenet_sendrecv_zabbix_agent_client_packets($1) - corenet_tcp_connect_zabbix_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - corenet_tcp_sendrecv_zabbix_port($1) -') - -######################################## -## -## Allow the specified domain to read zabbix's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`zabbix_read_log',` - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, zabbix_log_t, zabbix_log_t) -') - -######################################## -## -## Allow the specified domain to append -## zabbix log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`zabbix_append_log',` - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, zabbix_log_t, zabbix_log_t) -') - -######################################## -## -## Read zabbix PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`zabbix_read_pid_files',` - gen_require(` - type zabbix_var_run_t; - ') - - files_search_pids($1) - allow $1 zabbix_var_run_t:file read_file_perms; -') - -######################################## -## -## Allow connectivity to a zabbix agent -## -## -## -## Domain allowed access. -## -## -# -interface(`zabbix_agent_tcp_connect',` - gen_require(` - type zabbix_agent_t; - ') - - corenet_sendrecv_zabbix_agent_client_packets($1) - corenet_tcp_connect_zabbix_agent_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - corenet_tcp_sendrecv_zabbix_agent_port($1) -') - -######################################## -## -## All of the rules required to administrate -## an zabbix environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the zabbix domain. -## -## -## -# -interface(`zabbix_admin',` - gen_require(` - type zabbix_t, zabbix_log_t, zabbix_var_run_t; - type zabbix_initrc_exec_t; - ') - - allow $1 zabbix_t:process { ptrace signal_perms }; - ps_process_pattern($1, zabbix_t) - - init_labeled_script_domtrans($1, zabbix_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zabbix_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, zabbix_log_t) - - files_list_pids($1) - admin_pattern($1, zabbix_var_run_t) -') diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te deleted file mode 100644 index 5e0bd8879..000000000 --- a/policy/modules/services/zabbix.te +++ /dev/null @@ -1,137 +0,0 @@ -policy_module(zabbix, 1.4.1) - -######################################## -# -# Declarations -# - -type zabbix_t; -type zabbix_exec_t; -init_daemon_domain(zabbix_t, zabbix_exec_t) - -type zabbix_initrc_exec_t; -init_script_file(zabbix_initrc_exec_t) - -type zabbix_agent_t; -type zabbix_agent_exec_t; -init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) - -type zabbix_agent_initrc_exec_t; -init_script_file(zabbix_agent_initrc_exec_t) - -# log files -type zabbix_log_t; -logging_log_file(zabbix_log_t) - -# shared memory -type zabbix_tmpfs_t; -files_tmpfs_file(zabbix_tmpfs_t) - -# pid files -type zabbix_var_run_t; -files_pid_file(zabbix_var_run_t) - -######################################## -# -# zabbix local policy -# - -allow zabbix_t self:capability { setuid setgid }; -allow zabbix_t self:fifo_file rw_file_perms; -allow zabbix_t self:process { setsched getsched signal }; -allow zabbix_t self:unix_stream_socket create_stream_socket_perms; -allow zabbix_t self:sem create_sem_perms; -allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms; - -# log files -allow zabbix_t zabbix_log_t:dir setattr; -manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -logging_log_filetrans(zabbix_t, zabbix_log_t, file) - -# shared memory -rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) -fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) - -# pid file -manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) - -corenet_tcp_bind_generic_node(zabbix_t) -corenet_tcp_bind_zabbix_port(zabbix_t) - -files_read_etc_files(zabbix_t) - -miscfiles_read_localization(zabbix_t) - -sysnet_dns_name_resolve(zabbix_t) - -zabbix_agent_tcp_connect(zabbix_t) - -optional_policy(` - mysql_stream_connect(zabbix_t) - mysql_tcp_connect(zabbix_t) -') - -optional_policy(` - postgresql_stream_connect(zabbix_t) -') - -######################################## -# -# zabbix agent local policy -# - -allow zabbix_agent_t self:capability { setuid setgid }; -allow zabbix_agent_t self:process { setsched getsched signal }; -allow zabbix_agent_t self:fifo_file rw_file_perms; -allow zabbix_agent_t self:sem create_sem_perms; -allow zabbix_agent_t self:shm create_shm_perms; -allow zabbix_agent_t self:tcp_socket create_stream_socket_perms; -allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; - -# Logging access -filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) -manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) - -# Shared Memory support -rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) -fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) - -# PID file management -manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) - -kernel_read_all_sysctls(zabbix_agent_t) -kernel_read_system_state(zabbix_agent_t) - -corecmd_read_all_executables(zabbix_agent_t) - -corenet_tcp_bind_generic_node(zabbix_agent_t) -corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -corenet_tcp_connect_ssh_port(zabbix_agent_t) -corenet_tcp_connect_zabbix_port(zabbix_agent_t) - -dev_getattr_all_blk_files(zabbix_agent_t) -dev_getattr_all_chr_files(zabbix_agent_t) - -domain_search_all_domains_state(zabbix_agent_t) - -files_getattr_all_dirs(zabbix_agent_t) -files_getattr_all_files(zabbix_agent_t) -files_read_all_symlinks(zabbix_agent_t) -files_read_etc_files(zabbix_agent_t) - -fs_getattr_all_fs(zabbix_agent_t) - -init_read_utmp(zabbix_agent_t) - -logging_search_logs(zabbix_agent_t) - -miscfiles_read_localization(zabbix_agent_t) - -sysnet_dns_name_resolve(zabbix_agent_t) - -# Network access to zabbix server -zabbix_tcp_connect(zabbix_agent_t) diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc deleted file mode 100644 index 3defaa1fd..000000000 --- a/policy/modules/services/zarafa.fc +++ /dev/null @@ -1,26 +0,0 @@ -/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) - -/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) -/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) -/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) -/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) -/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) -/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) -/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) - -/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) - -/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) -/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) -/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) -/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) -/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) -/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) - -/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) -/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) -/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) -/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if deleted file mode 100644 index 21ae66431..000000000 --- a/policy/modules/services/zarafa.if +++ /dev/null @@ -1,120 +0,0 @@ -## Zarafa collaboration platform. - -###################################### -## -## Creates types and rules for a basic -## zararfa init daemon domain. -## -## -## -## Prefix for the domain. -## -## -# -template(`zarafa_domain_template',` - gen_require(` - attribute zarafa_domain; - ') - - ############################## - # - # $1_t declarations - # - - type zarafa_$1_t, zarafa_domain; - type zarafa_$1_exec_t; - init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) - - type zarafa_$1_log_t; - logging_log_file(zarafa_$1_log_t) - - type zarafa_$1_var_run_t; - files_pid_file(zarafa_$1_var_run_t) - - ############################## - # - # $1_t local policy - # - - manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) - - manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) -') - -###################################### -## -## Allow the specified domain to search -## zarafa configuration dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`zarafa_search_config',` - gen_require(` - type zarafa_etc_t; - ') - - files_search_etc($1) - allow $1 zarafa_etc_t:dir search_dir_perms; -') - -######################################## -## -## Execute a domain transition to run zarafa_deliver. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zarafa_domtrans_deliver',` - gen_require(` - type zarafa_deliver_t, zarafa_deliver_exec_t; - ') - - domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) -') - -######################################## -## -## Execute a domain transition to run zarafa_server. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zarafa_domtrans_server',` - gen_require(` - type zarafa_server_t, zarafa_server_exec_t; - ') - - domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) -') - -####################################### -## -## Connect to zarafa-server unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`zarafa_stream_connect_server',` - gen_require(` - type zarafa_server_t, zarafa_server_var_run_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) -') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te deleted file mode 100644 index 9fb47472f..000000000 --- a/policy/modules/services/zarafa.te +++ /dev/null @@ -1,161 +0,0 @@ -policy_module(zarafa, 1.0.0) - -######################################## -# -# Declarations -# - -attribute zarafa_domain; - -zarafa_domain_template(deliver) - -type zarafa_deliver_tmp_t; -files_tmp_file(zarafa_deliver_tmp_t) - -type zarafa_etc_t; -files_config_file(zarafa_etc_t) - -zarafa_domain_template(gateway) -zarafa_domain_template(ical) -zarafa_domain_template(indexer) -zarafa_domain_template(monitor) -zarafa_domain_template(server) - -type zarafa_server_tmp_t; -files_tmp_file(zarafa_server_tmp_t) - -type zarafa_share_t; -files_type(zarafa_share_t) - -zarafa_domain_template(spooler) - -type zarafa_var_lib_t; -files_tmp_file(zarafa_var_lib_t) - -######################################## -# -# zarafa-deliver local policy -# - -manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) -manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) -files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) - -######################################## -# -# zarafa_gateway local policy -# - -allow zarafa_gateway_t self:capability { chown kill }; -allow zarafa_gateway_t self:process setrlimit; - -corenet_all_recvfrom_unlabeled(zarafa_gateway_t) -corenet_all_recvfrom_netlabel(zarafa_gateway_t) -corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) -corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) -corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) -corenet_tcp_bind_generic_node(zarafa_gateway_t) -corenet_tcp_bind_pop_port(zarafa_gateway_t) - -####################################### -# -# zarafa-ical local policy -# - -allow zarafa_ical_t self:capability chown; - -corenet_all_recvfrom_unlabeled(zarafa_ical_t) -corenet_all_recvfrom_netlabel(zarafa_ical_t) -corenet_tcp_sendrecv_generic_if(zarafa_ical_t) -corenet_tcp_sendrecv_generic_node(zarafa_ical_t) -corenet_tcp_sendrecv_all_ports(zarafa_ical_t) -corenet_tcp_bind_generic_node(zarafa_ical_t) -corenet_tcp_bind_http_cache_port(zarafa_ical_t) - -###################################### -# -# zarafa-monitor local policy -# - -allow zarafa_monitor_t self:capability chown; - -######################################## -# -# zarafa_server local policy -# - -allow zarafa_server_t self:capability { chown kill net_bind_service }; -allow zarafa_server_t self:process setrlimit; - -manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) -manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) -files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) - -manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) - -stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) - -corenet_all_recvfrom_unlabeled(zarafa_server_t) -corenet_all_recvfrom_netlabel(zarafa_server_t) -corenet_tcp_sendrecv_generic_if(zarafa_server_t) -corenet_tcp_sendrecv_generic_node(zarafa_server_t) -corenet_tcp_sendrecv_all_ports(zarafa_server_t) -corenet_tcp_bind_generic_node(zarafa_server_t) -corenet_tcp_bind_zarafa_port(zarafa_server_t) - -files_read_usr_files(zarafa_server_t) - -logging_send_syslog_msg(zarafa_server_t) -logging_send_audit_msgs(zarafa_server_t) - -sysnet_dns_name_resolve(zarafa_server_t) - -optional_policy(` - kerberos_use(zarafa_server_t) -') - -optional_policy(` - mysql_stream_connect(zarafa_server_t) -') - -######################################## -# -# zarafa_spooler local policy -# - -allow zarafa_spooler_t self:capability { chown kill }; - -can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) - -corenet_all_recvfrom_unlabeled(zarafa_spooler_t) -corenet_all_recvfrom_netlabel(zarafa_spooler_t) -corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) -corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) -corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) -corenet_tcp_connect_smtp_port(zarafa_spooler_t) - -######################################## -# -# zarafa domains local policy -# - -# bad permission on /etc/zarafa -allow zarafa_domain self:capability { dac_override setgid setuid }; -allow zarafa_domain self:process signal; -allow zarafa_domain self:fifo_file rw_fifo_file_perms; -allow zarafa_domain self:tcp_socket create_stream_socket_perms; -allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; - -stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) - -read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) - -kernel_read_system_state(zarafa_domain) - -files_read_etc_files(zarafa_domain) - -auth_use_nsswitch(zarafa_domain) - -miscfiles_read_localization(zarafa_domain) diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc deleted file mode 100644 index e1b30b253..000000000 --- a/policy/modules/services/zebra.fc +++ /dev/null @@ -1,22 +0,0 @@ -/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) - -/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) - -/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) -/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) - -/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) - -/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) -/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) - -/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if deleted file mode 100644 index 6b8760509..000000000 --- a/policy/modules/services/zebra.if +++ /dev/null @@ -1,88 +0,0 @@ -## Zebra border gateway protocol network routing service - -######################################## -## -## Read the configuration files for zebra. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`zebra_read_config',` - gen_require(` - type zebra_conf_t; - ') - - files_search_etc($1) - allow $1 zebra_conf_t:dir list_dir_perms; - read_files_pattern($1, zebra_conf_t, zebra_conf_t) - read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) -') - -######################################## -## -## Connect to zebra over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`zebra_stream_connect',` - gen_require(` - type zebra_t, zebra_var_run_t; - ') - - files_search_pids($1) - allow $1 zebra_var_run_t:sock_file write; - allow $1 zebra_t:unix_stream_socket connectto; -') - -######################################## -## -## All of the rules required to administrate -## an zebra environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the zebra domain. -## -## -## -# -interface(`zebra_admin',` - gen_require(` - type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t; - type zebra_initrc_exec_t; - ') - - allow $1 zebra_t:process { ptrace signal_perms }; - ps_process_pattern($1, zebra_t) - - init_labeled_script_domtrans($1, zebra_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zebra_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, zebra_conf_t) - - logging_list_logs($1) - admin_pattern($1, zebra_log_t) - - files_list_tmp($1) - admin_pattern($1, zebra_tmp_t) - - files_list_pids($1) - admin_pattern($1, zebra_var_run_t) -') diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te deleted file mode 100644 index ade6c2cc9..000000000 --- a/policy/modules/services/zebra.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(zebra, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow zebra daemon to write it configuration files -##

-## -# -gen_tunable(allow_zebra_write_config, false) - -type zebra_t; -type zebra_exec_t; -init_daemon_domain(zebra_t, zebra_exec_t) - -type zebra_conf_t; -files_type(zebra_conf_t) - -type zebra_initrc_exec_t; -init_script_file(zebra_initrc_exec_t) - -type zebra_log_t; -logging_log_file(zebra_log_t) - -type zebra_tmp_t; -files_tmp_file(zebra_tmp_t) - -type zebra_var_run_t; -files_pid_file(zebra_var_run_t) - -######################################## -# -# Local policy -# - -allow zebra_t self:capability { setgid setuid net_admin net_raw }; -dontaudit zebra_t self:capability sys_tty_config; -allow zebra_t self:process { signal_perms getcap setcap }; -allow zebra_t self:file rw_file_perms; -allow zebra_t self:unix_dgram_socket create_socket_perms; -allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; -allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; -allow zebra_t self:udp_socket create_socket_perms; -allow zebra_t self:rawip_socket create_socket_perms; - -allow zebra_t zebra_conf_t:dir list_dir_perms; -read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) - -allow zebra_t zebra_log_t:dir setattr; -manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) - -# /tmp/.bgpd is such a bad idea! -allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) - -manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file }) - -kernel_read_system_state(zebra_t) -kernel_read_network_state(zebra_t) -kernel_read_kernel_sysctls(zebra_t) -kernel_rw_net_sysctls(zebra_t) - -corenet_all_recvfrom_unlabeled(zebra_t) -corenet_all_recvfrom_netlabel(zebra_t) -corenet_tcp_sendrecv_generic_if(zebra_t) -corenet_udp_sendrecv_generic_if(zebra_t) -corenet_raw_sendrecv_generic_if(zebra_t) -corenet_tcp_sendrecv_generic_node(zebra_t) -corenet_udp_sendrecv_generic_node(zebra_t) -corenet_raw_sendrecv_generic_node(zebra_t) -corenet_tcp_sendrecv_all_ports(zebra_t) -corenet_udp_sendrecv_all_ports(zebra_t) -corenet_tcp_bind_generic_node(zebra_t) -corenet_udp_bind_generic_node(zebra_t) -corenet_tcp_bind_bgp_port(zebra_t) -corenet_tcp_bind_zebra_port(zebra_t) -corenet_udp_bind_router_port(zebra_t) -corenet_tcp_connect_bgp_port(zebra_t) -corenet_sendrecv_zebra_server_packets(zebra_t) -corenet_sendrecv_router_server_packets(zebra_t) - -dev_associate_usbfs(zebra_var_run_t) -dev_list_all_dev_nodes(zebra_t) -dev_read_sysfs(zebra_t) -dev_rw_zero(zebra_t) - -fs_getattr_all_fs(zebra_t) -fs_search_auto_mountpoints(zebra_t) - -term_list_ptys(zebra_t) - -domain_use_interactive_fds(zebra_t) - -files_search_etc(zebra_t) -files_read_etc_files(zebra_t) -files_read_etc_runtime_files(zebra_t) - -logging_send_syslog_msg(zebra_t) - -miscfiles_read_localization(zebra_t) - -sysnet_read_config(zebra_t) - -userdom_dontaudit_use_unpriv_user_fds(zebra_t) -userdom_dontaudit_search_user_home_dirs(zebra_t) - -tunable_policy(`allow_zebra_write_config',` - manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -') - -optional_policy(` - nis_use_ypbind(zebra_t) -') - -optional_policy(` - rpm_read_pipes(zebra_t) -') - -optional_policy(` - seutil_sigchld_newrole(zebra_t) -') - -optional_policy(` - udev_read_db(zebra_t) -') - -optional_policy(` - unconfined_sigchld(zebra_t) -') diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc deleted file mode 100644 index d719d0b99..000000000 --- a/policy/modules/services/zosremote.fc +++ /dev/null @@ -1 +0,0 @@ -/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if deleted file mode 100644 index 702e76803..000000000 --- a/policy/modules/services/zosremote.if +++ /dev/null @@ -1,45 +0,0 @@ -## policy for z/OS Remote-services Audit dispatcher plugin - -######################################## -## -## Execute a domain transition to run audispd-zos-remote. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`zosremote_domtrans',` - gen_require(` - type zos_remote_t, zos_remote_exec_t; - ') - - domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) -') - -######################################## -## -## Allow specified type and role to transition and -## run in the zos_remote_t domain. Allow specified type -## to use zos_remote_t terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`zosremote_run',` - gen_require(` - type zos_remote_t; - ') - - zosremote_domtrans($1) - role $2 types zos_remote_t; -') diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te deleted file mode 100644 index f9a06d2c5..000000000 --- a/policy/modules/services/zosremote.te +++ /dev/null @@ -1,28 +0,0 @@ -policy_module(zosremote, 1.1.0) - -######################################## -# -# Declarations -# - -type zos_remote_t; -type zos_remote_exec_t; -init_system_domain(zos_remote_t, zos_remote_exec_t) -logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) - -######################################## -# -# zos_remote local policy -# - -allow zos_remote_t self:process signal; -allow zos_remote_t self:fifo_file rw_file_perms; -allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; - -files_read_etc_files(zos_remote_t) - -auth_use_nsswitch(zos_remote_t) - -miscfiles_read_localization(zos_remote_t) - -logging_send_syslog_msg(zos_remote_t) diff --git a/policy/modules/system/daemontools.fc b/policy/modules/system/daemontools.fc deleted file mode 100644 index 26df050ba..000000000 --- a/policy/modules/system/daemontools.fc +++ /dev/null @@ -1,53 +0,0 @@ -# -# /service -# - -/service -d gen_context(system_u:object_r:svc_svc_t,s0) -/service/.* gen_context(system_u:object_r:svc_svc_t,s0) - -# -# /usr -# - -/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0) -/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0) -/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0) - -# -# /var -# - -/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) - -/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) -/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0) -/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) -/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0) -/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0) - -/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0) -/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0) -/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0) diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if deleted file mode 100644 index ce3e6761e..000000000 --- a/policy/modules/system/daemontools.if +++ /dev/null @@ -1,212 +0,0 @@ -## Collection of tools for managing UNIX services -## -##

-## Policy for DJB's daemontools -##

-## - -######################################## -## -## An ipc channel between the supervised domain and svc_start_t -## -## -## -## Domain allowed access. -## -## -# -interface(`daemontools_ipc_domain',` - gen_require(` - type svc_start_t; - ') - - allow $1 svc_start_t:process sigchld; - allow $1 svc_start_t:fd use; - allow $1 svc_start_t:fifo_file { read write getattr }; - allow svc_start_t $1:process signal; -') - -######################################## -## -## Define a specified domain as a supervised service. -## -## -## -## Domain allowed access. -## -## -## -## -## The type associated with the process program. -## -## -# -interface(`daemontools_service_domain',` - gen_require(` - type svc_run_t; - ') - - domain_auto_trans(svc_run_t, $2, $1) - daemontools_ipc_domain($1) - - allow svc_run_t $1:process signal; - allow $1 svc_run_t:fd use; -') - -######################################## -## -## Execute in the svc_start_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`daemontools_domtrans_start',` - gen_require(` - type svc_start_t, svc_start_exec_t; - ') - - domtrans_pattern($1, svc_start_exec_t, svc_start_t) -') - -###################################### -## -## Execute svc_start in the svc_start domain, and -## allow the specified role the svc_start domain. -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed the svc_start domain. -## -## -## -# -interface(`daemonstools_run_start',` - gen_require(` - type svc_start_t; - ') - - daemontools_domtrans_start($1) - role $2 types svc_start_t; -') - -######################################## -## -## Execute in the svc_run_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`daemontools_domtrans_run',` - gen_require(` - type svc_run_t, svc_run_exec_t; - ') - - domtrans_pattern($1, svc_run_exec_t, svc_run_t) -') - -###################################### -## -## Send a SIGCHLD signal to svc_run domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`daemontools_sigchld_run',` - gen_require(` - type svc_run_t; - ') - - allow $1 svc_run_t:process sigchld; -') - -######################################## -## -## Execute in the svc_multilog_t domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`daemontools_domtrans_multilog',` - gen_require(` - type svc_multilog_t, svc_multilog_exec_t; - ') - - domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t) -') - -###################################### -## -## Search svc_svc_t directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`daemontools_search_svc_dir',` - gen_require(` - type svc_svc_t; - ') - - allow $1 svc_svc_t:dir search_dir_perms; -') - -######################################## -## -## Allow a domain to read svc_svc_t files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`daemontools_read_svc',` - gen_require(` - type svc_svc_t; - ') - - allow $1 svc_svc_t:dir list_dir_perms; - allow $1 svc_svc_t:file read_file_perms; -') - -######################################## -## -## Allow a domain to create svc_svc_t files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`daemontools_manage_svc',` - gen_require(` - type svc_svc_t; - ') - - allow $1 svc_svc_t:dir manage_dir_perms; - allow $1 svc_svc_t:fifo_file manage_fifo_file_perms; - allow $1 svc_svc_t:file manage_file_perms; - allow $1 svc_svc_t:lnk_file { read create }; -') diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te deleted file mode 100644 index dcc5f1c37..000000000 --- a/policy/modules/system/daemontools.te +++ /dev/null @@ -1,118 +0,0 @@ -policy_module(daemontools, 1.2.0) - -######################################## -# -# Declarations -# - -type svc_conf_t; -files_config_file(svc_conf_t) - -type svc_log_t; -files_type(svc_log_t) - -type svc_multilog_t; -type svc_multilog_exec_t; -application_domain(svc_multilog_t, svc_multilog_exec_t) -role system_r types svc_multilog_t; - -type svc_run_t; -type svc_run_exec_t; -application_domain(svc_run_t, svc_run_exec_t) -role system_r types svc_run_t; - -type svc_start_t; -type svc_start_exec_t; -init_domain(svc_start_t, svc_start_exec_t) -init_system_domain(svc_start_t, svc_start_exec_t) -role system_r types svc_start_t; - -type svc_svc_t; -files_type(svc_svc_t) - -######################################## -# -# multilog local policy -# - -# multilog creates /service/*/log/status -manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) - -init_use_fds(svc_multilog_t) - -# writes to /var/log/*/* -logging_manage_generic_logs(svc_multilog_t) - -daemontools_ipc_domain(svc_multilog_t) - -######################################## -# -# local policy for binaries that impose -# a given environment to supervised daemons -# ie. softlimit, setuidgid, envuidgid, envdir, fghack .. -# - -allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource }; -allow svc_run_t self:process setrlimit; -allow svc_run_t self:fifo_file rw_fifo_file_perms; -allow svc_run_t self:unix_stream_socket create_stream_socket_perms; - -allow svc_run_t svc_conf_t:dir list_dir_perms; -allow svc_run_t svc_conf_t:file read_file_perms; - -can_exec(svc_run_t, svc_run_exec_t) - -kernel_read_system_state(svc_run_t) - -dev_read_urand(svc_run_t) - -corecmd_exec_bin(svc_run_t) -corecmd_exec_shell(svc_run_t) - -files_read_etc_files(svc_run_t) -files_read_etc_runtime_files(svc_run_t) -files_search_pids(svc_run_t) -files_search_var_lib(svc_run_t) - -init_use_script_fds(svc_run_t) -init_use_fds(svc_run_t) - -daemontools_domtrans_multilog(svc_run_t) -daemontools_read_svc(svc_run_t) - -optional_policy(` - qmail_read_config(svc_run_t) -') - -######################################## -# -# local policy for service monitoring programs -# ie svc, svscan, supervise ... -# - -allow svc_start_t svc_run_t:process { signal setrlimit }; - -allow svc_start_t self:fifo_file rw_fifo_file_perms; -allow svc_start_t self:capability kill; -allow svc_start_t self:tcp_socket create_stream_socket_perms; -allow svc_start_t self:unix_stream_socket create_socket_perms; - -can_exec(svc_start_t, svc_start_exec_t) - -kernel_read_kernel_sysctls(svc_start_t) -kernel_read_system_state(svc_start_t) - -corecmd_exec_bin(svc_start_t) -corecmd_exec_shell(svc_start_t) - -files_read_etc_files(svc_start_t) -files_read_etc_runtime_files(svc_start_t) -files_search_var(svc_start_t) -files_search_pids(svc_start_t) - -daemontools_domtrans_run(svc_start_t) -daemontools_manage_svc(svc_start_t) - -logging_send_syslog_msg(svc_start_t) - -miscfiles_read_localization(svc_start_t) diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc deleted file mode 100644 index 14d9670ba..000000000 --- a/policy/modules/system/iscsi.fc +++ /dev/null @@ -1,7 +0,0 @@ -/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - -/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) -/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) -/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) -/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if deleted file mode 100644 index 4cae92acc..000000000 --- a/policy/modules/system/iscsi.if +++ /dev/null @@ -1,76 +0,0 @@ -## Establish connections to iSCSI devices - -######################################## -## -## Execute a domain transition to run iscsid. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`iscsid_domtrans',` - gen_require(` - type iscsid_t, iscsid_exec_t; - ') - - domtrans_pattern($1, iscsid_exec_t, iscsid_t) -') - -######################################## -## -## Manage iscsid sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`iscsi_manage_semaphores',` - gen_require(` - type iscsid_t; - ') - - allow $1 iscsid_t:sem create_sem_perms; -') - -######################################## -## -## Connect to ISCSI using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`iscsi_stream_connect',` - gen_require(` - type iscsid_t, iscsi_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t) -') - -######################################## -## -## Read iscsi lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`iscsi_read_lib_files',` - gen_require(` - type iscsi_var_lib_t; - ') - - read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) - allow $1 iscsi_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) -') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te deleted file mode 100644 index 8bcfa2fe8..000000000 --- a/policy/modules/system/iscsi.te +++ /dev/null @@ -1,97 +0,0 @@ -policy_module(iscsi, 1.8.0) - -######################################## -# -# Declarations -# - -type iscsid_t; -type iscsid_exec_t; -domain_type(iscsid_t) -init_daemon_domain(iscsid_t, iscsid_exec_t) - -type iscsi_lock_t; -files_lock_file(iscsi_lock_t) - -type iscsi_log_t; -logging_log_file(iscsi_log_t) - -type iscsi_tmp_t; -files_tmp_file(iscsi_tmp_t) - -type iscsi_var_lib_t; -files_type(iscsi_var_lib_t) - -type iscsi_var_run_t; -files_pid_file(iscsi_var_run_t) - -######################################## -# -# iscsid local policy -# - -allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; -allow iscsid_t self:process { setrlimit setsched signal }; -allow iscsid_t self:fifo_file rw_fifo_file_perms; -allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow iscsid_t self:unix_dgram_socket create_socket_perms; -allow iscsid_t self:sem create_sem_perms; -allow iscsid_t self:shm create_shm_perms; -allow iscsid_t self:netlink_socket create_socket_perms; -allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; -allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; -allow iscsid_t self:tcp_socket create_stream_socket_perms; - -can_exec(iscsid_t, iscsid_exec_t) - -manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) -manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) -files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file }) - -manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) -logging_log_filetrans(iscsid_t, iscsi_log_t, file) - -manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } ) - -allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; -read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -files_search_var_lib(iscsid_t) - -manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) -files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - -kernel_read_network_state(iscsid_t) -kernel_read_system_state(iscsid_t) - -corenet_all_recvfrom_unlabeled(iscsid_t) -corenet_all_recvfrom_netlabel(iscsid_t) -corenet_tcp_sendrecv_generic_if(iscsid_t) -corenet_tcp_sendrecv_generic_node(iscsid_t) -corenet_tcp_sendrecv_all_ports(iscsid_t) -corenet_tcp_connect_http_port(iscsid_t) -corenet_tcp_connect_iscsi_port(iscsid_t) -corenet_tcp_connect_isns_port(iscsid_t) - -dev_rw_sysfs(iscsid_t) -dev_rw_userio_dev(iscsid_t) - -domain_use_interactive_fds(iscsid_t) -domain_dontaudit_read_all_domains_state(iscsid_t) - -files_read_etc_files(iscsid_t) - -auth_use_nsswitch(iscsid_t) - -init_stream_connect_script(iscsid_t) - -logging_send_syslog_msg(iscsid_t) - -miscfiles_read_localization(iscsid_t) - -optional_policy(` - tgtd_manage_semaphores(iscsid_t) -') diff --git a/policy/modules/system/pcmcia.fc b/policy/modules/system/pcmcia.fc deleted file mode 100644 index 9cf0e564a..000000000 --- a/policy/modules/system/pcmcia.fc +++ /dev/null @@ -1,10 +0,0 @@ - -/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) -/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) - -/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) -/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if deleted file mode 100644 index aef445d3a..000000000 --- a/policy/modules/system/pcmcia.if +++ /dev/null @@ -1,156 +0,0 @@ -## PCMCIA card management services - -######################################## -## -## PCMCIA stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_stub',` - gen_require(` - type cardmgr_t; - ') -') - -######################################## -## -## Execute cardmgr in the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pcmcia_domtrans_cardmgr',` - gen_require(` - type cardmgr_t, cardmgr_exec_t; - ') - - domtrans_pattern($1, cardmgr_exec_t, cardmgr_t) -') - -######################################## -## -## Inherit and use file descriptors from cardmgr. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_use_cardmgr_fds',` - gen_require(` - type cardmgr_t; - ') - - allow $1 cardmgr_t:fd use; -') - -######################################## -## -## Execute cardctl in the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`pcmcia_domtrans_cardctl',` - gen_require(` - type cardmgr_t, cardctl_exec_t; - ') - - domtrans_pattern($1, cardctl_exec_t, cardmgr_t) -') - -######################################## -## -## Execute cardmgr in the cardctl domain, and -## allow the specified role the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`pcmcia_run_cardctl',` - gen_require(` - type cardmgr_t; - ') - - pcmcia_domtrans_cardctl($1) - role $2 types cardmgr_t; -') - -######################################## -## -## Read cardmgr pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_read_pid',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') - -######################################## -## -## Create, read, write, and delete -## cardmgr pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_manage_pid',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') - -######################################## -## -## Create, read, write, and delete -## cardmgr runtime character nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`pcmcia_manage_pid_chr_files',` - gen_require(` - type cardmgr_var_run_t; - ') - - files_search_pids($1) - manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) -') diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te deleted file mode 100644 index 4d06ae364..000000000 --- a/policy/modules/system/pcmcia.te +++ /dev/null @@ -1,137 +0,0 @@ -policy_module(pcmcia, 1.6.0) - -######################################## -# -# Declarations -# - -type cardmgr_t; -type cardmgr_exec_t; -init_daemon_domain(cardmgr_t, cardmgr_exec_t) - -# Create symbolic links in /dev. -# cjp: this should probably be eliminated -type cardmgr_lnk_t; -files_type(cardmgr_lnk_t) - -type cardmgr_var_lib_t; -files_type(cardmgr_var_lib_t) - -type cardmgr_var_run_t; -files_pid_file(cardmgr_var_run_t) - -type cardctl_exec_t; -application_domain(cardmgr_t, cardctl_exec_t) - -######################################## -# -# Local policy -# - -# Use capabilities (net_admin for route), setuid for cardctl -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; -dontaudit cardmgr_t self:capability sys_tty_config; -allow cardmgr_t self:process signal_perms; -allow cardmgr_t self:fifo_file rw_fifo_file_perms; -allow cardmgr_t self:unix_dgram_socket create_socket_perms; -allow cardmgr_t self:unix_stream_socket create_socket_perms; - -allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms; -dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file) - -# Create stab file -manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t) -files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file) - -allow cardmgr_t cardmgr_var_run_t:file manage_file_perms; -files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file) - -kernel_read_system_state(cardmgr_t) -kernel_read_kernel_sysctls(cardmgr_t) -kernel_dontaudit_getattr_message_if(cardmgr_t) - -corecmd_exec_all_executables(cardmgr_t) - -dev_read_sysfs(cardmgr_t) -dev_manage_cardmgr_dev(cardmgr_t) -dev_filetrans_cardmgr(cardmgr_t) -dev_getattr_all_chr_files(cardmgr_t) -dev_getattr_all_blk_files(cardmgr_t) -# for SSP -dev_read_urand(cardmgr_t) - -domain_use_interactive_fds(cardmgr_t) -# Read /proc/PID directories for all domains (for fuser). -domain_read_confined_domains_state(cardmgr_t) -domain_getattr_confined_domains(cardmgr_t) -domain_dontaudit_ptrace_confined_domains(cardmgr_t) -# cjp: these look excessive: -domain_dontaudit_getattr_all_pipes(cardmgr_t) -domain_dontaudit_getattr_all_sockets(cardmgr_t) - -files_search_kernel_modules(cardmgr_t) -files_list_usr(cardmgr_t) -files_search_home(cardmgr_t) -files_read_etc_runtime_files(cardmgr_t) -files_exec_etc_files(cardmgr_t) -# for /var/lib/misc/pcmcia-scheme -# would be better to have it in a different type if I knew how it was created.. -files_read_var_lib_files(cardmgr_t) -# cjp: these look excessive: -files_dontaudit_getattr_all_dirs(cardmgr_t) -files_dontaudit_getattr_all_files(cardmgr_t) -files_dontaudit_getattr_all_symlinks(cardmgr_t) -files_dontaudit_getattr_all_pipes(cardmgr_t) -files_dontaudit_getattr_all_sockets(cardmgr_t) - -fs_getattr_all_fs(cardmgr_t) -fs_search_auto_mountpoints(cardmgr_t) - -term_use_unallocated_ttys(cardmgr_t) -term_getattr_all_ttys(cardmgr_t) -term_dontaudit_getattr_all_ptys(cardmgr_t) - -libs_exec_ld_so(cardmgr_t) -libs_exec_lib_files(cardmgr_t) - -logging_send_syslog_msg(cardmgr_t) - -miscfiles_read_localization(cardmgr_t) - -modutils_domtrans_insmod(cardmgr_t) - -sysnet_domtrans_ifconfig(cardmgr_t) -# for /etc/resolv.conf -sysnet_etc_filetrans_config(cardmgr_t) -sysnet_manage_config(cardmgr_t) - -userdom_use_user_terminals(cardmgr_t) -userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) -userdom_dontaudit_search_user_home_dirs(cardmgr_t) - -optional_policy(` - seutil_dontaudit_read_config(cardmgr_t) - seutil_sigchld_newrole(cardmgr_t) -') - -optional_policy(` - sysnet_domtrans_dhcpc(cardmgr_t) - - sysnet_read_dhcpc_pid(cardmgr_t) - sysnet_delete_dhcpc_pid(cardmgr_t) - sysnet_kill_dhcpc(cardmgr_t) - sysnet_sigchld_dhcpc(cardmgr_t) - sysnet_signal_dhcpc(cardmgr_t) - sysnet_signull_dhcpc(cardmgr_t) - sysnet_sigstop_dhcpc(cardmgr_t) -') - -optional_policy(` - udev_read_db(cardmgr_t) -') - -# Create device files in /tmp. -# cjp: why is this created all over the place? -files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) -files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) -filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file }) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc deleted file mode 100644 index ed9c70d4f..000000000 --- a/policy/modules/system/raid.fc +++ /dev/null @@ -1,6 +0,0 @@ -/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) - -/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) - -/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if deleted file mode 100644 index b1a85b512..000000000 --- a/policy/modules/system/raid.if +++ /dev/null @@ -1,75 +0,0 @@ -## RAID array management tools - -######################################## -## -## Execute software raid tools in the mdadm domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`raid_domtrans_mdadm',` - gen_require(` - type mdadm_t, mdadm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mdadm_exec_t, mdadm_t) -') - -###################################### -## -## Execute a domain transition to mdadm_t for the -## specified role, allowing it to use the mdadm_t -## domain -## -## -## -## Role allowed to access mdadm_t domain -## -## -## -## -## Domain allowed to transition to mdadm_t -## -## -# -interface(`raid_run_mdadm',` - gen_require(` - type mdadm_t; - ') - - role $1 types mdadm_t; - raid_domtrans_mdadm($2) -') - -######################################## -## -## Create, read, write, and delete the mdadm pid files. -## -## -##

-## Create, read, write, and delete the mdadm pid files. -##

-##

-## Added for use in the init module. -##

-## -## -## -## Domain allowed access. -## -## -# -interface(`raid_manage_mdadm_pid',` - gen_require(` - type mdadm_var_run_t; - ') - - # FIXME: maybe should have a type_transition. not - # clear what this is doing, from the original - # mdadm policy - allow $1 mdadm_var_run_t:file manage_file_perms; -') diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te deleted file mode 100644 index 3fd46f7d8..000000000 --- a/policy/modules/system/raid.te +++ /dev/null @@ -1,100 +0,0 @@ -policy_module(raid, 1.11.0) - -######################################## -# -# Declarations -# - -type mdadm_t; -type mdadm_exec_t; -init_daemon_domain(mdadm_t, mdadm_exec_t) -role system_r types mdadm_t; - -type mdadm_map_t; -files_type(mdadm_map_t) - -type mdadm_var_run_t; -files_pid_file(mdadm_var_run_t) - -######################################## -# -# Local policy -# - -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; -dontaudit mdadm_t self:capability sys_tty_config; -allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; -allow mdadm_t self:fifo_file rw_fifo_file_perms; - -# create .mdadm files in /dev -allow mdadm_t mdadm_map_t:file manage_file_perms; -dev_filetrans(mdadm_t, mdadm_map_t, file) - -manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) - -kernel_read_system_state(mdadm_t) -kernel_read_kernel_sysctls(mdadm_t) -kernel_rw_software_raid_state(mdadm_t) -kernel_getattr_core_if(mdadm_t) - -# Helper program access -corecmd_exec_bin(mdadm_t) -corecmd_exec_shell(mdadm_t) - -dev_rw_sysfs(mdadm_t) -# Ignore attempts to read every device file -dev_dontaudit_getattr_all_blk_files(mdadm_t) -dev_dontaudit_getattr_all_chr_files(mdadm_t) -dev_dontaudit_getattr_generic_files(mdadm_t) -dev_dontaudit_getattr_generic_chr_files(mdadm_t) -dev_dontaudit_getattr_generic_blk_files(mdadm_t) -dev_read_realtime_clock(mdadm_t) -# unfortunately needed for DMI decoding: -dev_read_raw_memory(mdadm_t) - -domain_use_interactive_fds(mdadm_t) - -files_read_etc_files(mdadm_t) -files_read_etc_runtime_files(mdadm_t) - -fs_search_auto_mountpoints(mdadm_t) -fs_dontaudit_list_tmpfs(mdadm_t) - -mls_file_read_all_levels(mdadm_t) -mls_file_write_all_levels(mdadm_t) - -# RAID block device access -storage_manage_fixed_disk(mdadm_t) -storage_dev_filetrans_fixed_disk(mdadm_t) -storage_read_scsi_generic(mdadm_t) - -term_dontaudit_list_ptys(mdadm_t) - -init_dontaudit_getattr_initctl(mdadm_t) - -logging_send_syslog_msg(mdadm_t) - -miscfiles_read_localization(mdadm_t) - -userdom_dontaudit_use_unpriv_user_fds(mdadm_t) -userdom_dontaudit_search_user_home_content(mdadm_t) -userdom_dontaudit_use_user_terminals(mdadm_t) - -mta_send_mail(mdadm_t) - -optional_policy(` - gpm_dontaudit_getattr_gpmctl(mdadm_t) -') - -optional_policy(` - seutil_sigchld_newrole(mdadm_t) -') - -optional_policy(` - udev_read_db(mdadm_t) -') - -optional_policy(` - unconfined_domain(mdadm_t) -') diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc deleted file mode 100644 index a865da76a..000000000 --- a/policy/modules/system/xen.fc +++ /dev/null @@ -1,43 +0,0 @@ -/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) - -/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) - -/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) -/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) -/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) - -/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) - -ifdef(`distro_debian',` -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -',` -/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -') - -/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) -/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) - -/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) -/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) -/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) - -/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) -/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) -/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) - -/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if deleted file mode 100644 index 77d41b649..000000000 --- a/policy/modules/system/xen.if +++ /dev/null @@ -1,238 +0,0 @@ -## Xen hypervisor - -######################################## -## -## Execute a domain transition to run xend. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`xen_domtrans',` - gen_require(` - type xend_t, xend_exec_t; - ') - - domtrans_pattern($1, xend_exec_t, xend_t) -') - -######################################## -## -## Inherit and use xen file descriptors. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_use_fds',` - gen_require(` - type xend_t; - ') - - allow $1 xend_t:fd use; -') - -######################################## -## -## Do not audit attempts to inherit -## xen file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`xen_dontaudit_use_fds',` - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:fd use; -') - -######################################## -## -## Read xend image files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_read_image_files',` - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - - list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) -') - -######################################## -## -## Allow the specified domain to read/write -## xend image files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_rw_image_files',` - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - allow $1 xend_var_lib_t:dir search_dir_perms; - rw_files_pattern($1, xen_image_t, xen_image_t) -') - -######################################## -## -## Allow the specified domain to append -## xend log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_append_log',` - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, xend_var_log_t, xend_var_log_t) - dontaudit $1 xend_var_log_t:file write; -') - -######################################## -## -## Create, read, write, and delete the -## xend log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_manage_log',` - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t) - manage_files_pattern($1, xend_var_log_t, xend_var_log_t) -') - -######################################## -## -## Do not audit attempts to read and write -## Xen unix domain stream sockets. These -## are leaked file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`xen_dontaudit_rw_unix_stream_sockets',` - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:unix_stream_socket { read write }; -') - -######################################## -## -## Connect to xenstored over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_stream_connect_xenstore',` - gen_require(` - type xenstored_t, xenstored_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t) -') - -######################################## -## -## Connect to xend over an unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_stream_connect',` - gen_require(` - type xend_t, xend_var_run_t, xend_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) - - files_search_var_lib($1) - stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) -') - -######################################## -## -## Execute a domain transition to run xm. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`xen_domtrans_xm',` - gen_require(` - type xm_t, xm_exec_t; - ') - - domtrans_pattern($1, xm_exec_t, xm_t) -') - -######################################## -## -## Connect to xm over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`xen_stream_connect_xm',` - gen_require(` - type xm_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t) -') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te deleted file mode 100644 index c4d18e894..000000000 --- a/policy/modules/system/xen.te +++ /dev/null @@ -1,566 +0,0 @@ -policy_module(xen, 1.11.0) - -######################################## -# -# Declarations -# - -## -##

-## Allow xend to run blktapctrl/tapdisk. -## Not required if using dedicated logical volumes for disk images. -##

-## -gen_tunable(xend_run_blktap, true) - -## -##

-## Allow xend to run qemu-dm. -## Not required if using paravirt and no vfb. -##

-## -gen_tunable(xend_run_qemu, true) - -## -##

-## Allow xen to manage nfs files -##

-## -gen_tunable(xen_use_nfs, false) - -type blktap_t; -type blktap_exec_t; -domain_type(blktap_t) -domain_entry_file(blktap_t, blktap_exec_t) -role system_r types blktap_t; - -type blktap_var_run_t; -files_pid_file(blktap_var_run_t) - -type evtchnd_t; -type evtchnd_exec_t; -init_daemon_domain(evtchnd_t, evtchnd_exec_t) - -# log files -type evtchnd_var_log_t; -logging_log_file(evtchnd_var_log_t) - -# pid files -type evtchnd_var_run_t; -files_pid_file(evtchnd_var_run_t) - -type qemu_dm_t; -type qemu_dm_exec_t; -domain_type(qemu_dm_t) -domain_entry_file(qemu_dm_t, qemu_dm_exec_t) -role system_r types qemu_dm_t; - -# console ptys -type xen_devpts_t; -term_pty(xen_devpts_t) -files_type(xen_devpts_t) - -# Xen Image files -type xen_image_t; # customizable -files_type(xen_image_t) -# xen_image_t can be assigned to blk devices -dev_node(xen_image_t) - -type xenctl_t; -files_type(xenctl_t) - -type xend_t; -type xend_exec_t; -domain_type(xend_t) -init_daemon_domain(xend_t, xend_exec_t) - -# tmp files -type xend_tmp_t; -files_tmp_file(xend_tmp_t) - -# var/lib files -type xend_var_lib_t; -files_type(xend_var_lib_t) -# for mounting an NFS store -files_mountpoint(xend_var_lib_t) - -# log files -type xend_var_log_t; -logging_log_file(xend_var_log_t) - -# pid files -type xend_var_run_t; -files_pid_file(xend_var_run_t) -files_mountpoint(xend_var_run_t) - -type xenstored_t; -type xenstored_exec_t; -init_daemon_domain(xenstored_t, xenstored_exec_t) - -type xenstored_tmp_t; -files_tmp_file(xenstored_tmp_t) - -# var/lib files -type xenstored_var_lib_t; -files_type(xenstored_var_lib_t) -files_mountpoint(xenstored_var_lib_t) - -# log files -type xenstored_var_log_t; -logging_log_file(xenstored_var_log_t) - -# pid files -type xenstored_var_run_t; -files_pid_file(xenstored_var_run_t) - -type xenconsoled_t; -type xenconsoled_exec_t; -init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) - -# pid files -type xenconsoled_var_run_t; -files_pid_file(xenconsoled_var_run_t) - -type xm_t; -type xm_exec_t; -domain_type(xm_t) -init_system_domain(xm_t, xm_exec_t) - -######################################## -# -# blktap local policy -# -# Do we need to allow execution of blktap? -tunable_policy(`xend_run_blktap',` - # If yes, transition to its own domain. - domtrans_pattern(xend_t, blktap_exec_t, blktap_t) - - allow blktap_t self:fifo_file { read write }; - - dev_read_sysfs(blktap_t) - dev_rw_xen(blktap_t) - - files_read_etc_files(blktap_t) - - logging_send_syslog_msg(blktap_t) - - miscfiles_read_localization(blktap_t) - - xen_stream_connect_xenstore(blktap_t) -',` - # If no, then silently refuse to run it. - dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; -') - -####################################### -# -# evtchnd local policy -# - -manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) - -manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) - -######################################## -# -# qemu-dm local policy -# -# Do we need to allow execution of qemu-dm? -tunable_policy(`xend_run_qemu',` - allow qemu_dm_t self:capability sys_resource; - allow qemu_dm_t self:process setrlimit; - allow qemu_dm_t self:fifo_file { read write }; - allow qemu_dm_t self:tcp_socket create_stream_socket_perms; - - # If yes, transition to its own domain. - domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) - - append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) - - rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) - - corenet_tcp_bind_generic_node(qemu_dm_t) - corenet_tcp_bind_vnc_port(qemu_dm_t) - - dev_rw_xen(qemu_dm_t) - - files_read_etc_files(qemu_dm_t) - files_read_usr_files(qemu_dm_t) - - fs_manage_xenfs_dirs(qemu_dm_t) - fs_manage_xenfs_files(qemu_dm_t) - - miscfiles_read_localization(qemu_dm_t) - - xen_stream_connect_xenstore(qemu_dm_t) -',` - # If no, then silently refuse to run it. - dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; -') - -######################################## -# -# xend local policy -# - -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; -dontaudit xend_t self:capability { sys_ptrace }; -allow xend_t self:process { signal sigkill }; -dontaudit xend_t self:process ptrace; -# internal communication is often done using fifo and unix sockets. -allow xend_t self:fifo_file rw_fifo_file_perms; -allow xend_t self:unix_stream_socket create_stream_socket_perms; -allow xend_t self:unix_dgram_socket create_socket_perms; -allow xend_t self:netlink_route_socket r_netlink_socket_perms; -allow xend_t self:tcp_socket create_stream_socket_perms; -allow xend_t self:packet_socket create_socket_perms; - -allow xend_t xen_image_t:dir list_dir_perms; -manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) -manage_files_pattern(xend_t, xen_image_t, xen_image_t) -read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) -rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) - -allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; -dev_filetrans(xend_t, xenctl_t, fifo_file) - -manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) -manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) -files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) - -# pid file -manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) - -# log files -manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) -manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) - -# var/lib files for xend -manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) -files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) - -# transition to store -domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) - -# manage xenstored pid file -manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) - -# mount tmpfs on /var/lib/xenstored -allow xend_t xenstored_var_lib_t:dir read; - -# transition to console -domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) - -kernel_read_kernel_sysctls(xend_t) -kernel_read_system_state(xend_t) -kernel_write_xen_state(xend_t) -kernel_read_xen_state(xend_t) -kernel_rw_net_sysctls(xend_t) -kernel_read_network_state(xend_t) - -corecmd_exec_bin(xend_t) -corecmd_exec_shell(xend_t) - -corenet_all_recvfrom_unlabeled(xend_t) -corenet_all_recvfrom_netlabel(xend_t) -corenet_tcp_sendrecv_generic_if(xend_t) -corenet_tcp_sendrecv_generic_node(xend_t) -corenet_tcp_sendrecv_all_ports(xend_t) -corenet_tcp_bind_generic_node(xend_t) -corenet_tcp_bind_xen_port(xend_t) -corenet_tcp_bind_soundd_port(xend_t) -corenet_tcp_bind_generic_port(xend_t) -corenet_tcp_bind_vnc_port(xend_t) -corenet_tcp_connect_xserver_port(xend_t) -corenet_tcp_connect_xen_port(xend_t) -corenet_sendrecv_xserver_client_packets(xend_t) -corenet_sendrecv_xen_server_packets(xend_t) -corenet_sendrecv_xen_client_packets(xend_t) -corenet_sendrecv_soundd_server_packets(xend_t) -corenet_rw_tun_tap_dev(xend_t) - -dev_read_urand(xend_t) -dev_filetrans_xen(xend_t) -dev_rw_sysfs(xend_t) -dev_rw_xen(xend_t) - -domain_dontaudit_read_all_domains_state(xend_t) -domain_dontaudit_ptrace_all_domains(xend_t) - -files_read_etc_files(xend_t) -files_read_kernel_symbol_table(xend_t) -files_read_kernel_img(xend_t) -files_manage_etc_runtime_files(xend_t) -files_etc_filetrans_etc_runtime(xend_t, file) -files_read_usr_files(xend_t) -files_read_default_symlinks(xend_t) - -term_getattr_all_ptys(xend_t) -term_use_generic_ptys(xend_t) -term_use_ptmx(xend_t) -term_getattr_pty_fs(xend_t) - -init_stream_connect_script(xend_t) - -locallogin_dontaudit_use_fds(xend_t) - -logging_send_syslog_msg(xend_t) - -lvm_domtrans(xend_t) - -miscfiles_read_localization(xend_t) -miscfiles_read_hwdata(xend_t) - -mount_domtrans(xend_t) - -sysnet_domtrans_dhcpc(xend_t) -sysnet_signal_dhcpc(xend_t) -sysnet_domtrans_ifconfig(xend_t) -sysnet_dns_name_resolve(xend_t) -sysnet_delete_dhcpc_pid(xend_t) -sysnet_read_dhcpc_pid(xend_t) -sysnet_rw_dhcp_config(xend_t) - -userdom_dontaudit_search_user_home_dirs(xend_t) - -xen_stream_connect_xenstore(xend_t) - -netutils_domtrans(xend_t) - -optional_policy(` - brctl_domtrans(xend_t) -') - -optional_policy(` - consoletype_exec(xend_t) -') - -######################################## -# -# Xen console local policy -# - -allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; -allow xenconsoled_t self:process setrlimit; -allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; -allow xenconsoled_t self:fifo_file rw_fifo_file_perms; - -allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; - -# pid file -manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) - -kernel_read_kernel_sysctls(xenconsoled_t) -kernel_write_xen_state(xenconsoled_t) -kernel_read_xen_state(xenconsoled_t) - -dev_rw_xen(xenconsoled_t) -dev_filetrans_xen(xenconsoled_t) -dev_rw_sysfs(xenconsoled_t) - -domain_dontaudit_ptrace_all_domains(xenconsoled_t) - -files_read_etc_files(xenconsoled_t) -files_read_usr_files(xenconsoled_t) - -fs_list_tmpfs(xenconsoled_t) -fs_manage_xenfs_dirs(xenconsoled_t) -fs_manage_xenfs_files(xenconsoled_t) - -term_create_pty(xenconsoled_t, xen_devpts_t) -term_use_generic_ptys(xenconsoled_t) -term_use_console(xenconsoled_t) - -init_use_fds(xenconsoled_t) -init_use_script_ptys(xenconsoled_t) - -miscfiles_read_localization(xenconsoled_t) - -xen_manage_log(xenconsoled_t) -xen_stream_connect_xenstore(xenconsoled_t) - -optional_policy(` - ptchown_domtrans(xenconsoled_t) -') - -######################################## -# -# Xen store local policy -# - -allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; -allow xenstored_t self:unix_stream_socket create_stream_socket_perms; -allow xenstored_t self:unix_dgram_socket create_socket_perms; - -manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) - -# pid file -manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) - -# log files -manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) - -# var/lib files for xenstored -manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }) - -stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) - -kernel_write_xen_state(xenstored_t) -kernel_read_xen_state(xenstored_t) - -dev_filetrans_xen(xenstored_t) -dev_rw_xen(xenstored_t) -dev_read_sysfs(xenstored_t) - -files_read_etc_files(xenstored_t) - -files_read_usr_files(xenstored_t) - -fs_manage_xenfs_files(xenstored_t) - -term_use_generic_ptys(xenstored_t) - -init_use_fds(xenstored_t) -init_use_script_ptys(xenstored_t) - -logging_send_syslog_msg(xenstored_t) - -miscfiles_read_localization(xenstored_t) - -xen_append_log(xenstored_t) - -######################################## -# -# xm local policy -# - -allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; -allow xm_t self:process { getsched signal }; - -# internal communication is often done using fifo and unix sockets. -allow xm_t self:fifo_file rw_fifo_file_perms; -allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow xm_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -files_search_var_lib(xm_t) - -allow xm_t xen_image_t:dir rw_dir_perms; -allow xm_t xen_image_t:file read_file_perms; -allow xm_t xen_image_t:blk_file read_blk_file_perms; - -kernel_read_system_state(xm_t) -kernel_read_kernel_sysctls(xm_t) -kernel_read_sysctl(xm_t) -kernel_read_xen_state(xm_t) -kernel_write_xen_state(xm_t) - -corecmd_exec_bin(xm_t) -corecmd_exec_shell(xm_t) - -corenet_tcp_sendrecv_generic_if(xm_t) -corenet_tcp_sendrecv_generic_node(xm_t) -corenet_tcp_connect_soundd_port(xm_t) - -dev_read_urand(xm_t) -dev_read_sysfs(xm_t) - -files_read_etc_runtime_files(xm_t) -files_read_usr_files(xm_t) -files_list_mnt(xm_t) -# Some common macros (you might be able to remove some) -files_read_etc_files(xm_t) - -fs_getattr_all_fs(xm_t) -fs_manage_xenfs_dirs(xm_t) -fs_manage_xenfs_files(xm_t) - -term_use_all_terms(xm_t) - -init_stream_connect_script(xm_t) -init_rw_script_stream_sockets(xm_t) -init_use_fds(xm_t) - -miscfiles_read_localization(xm_t) - -sysnet_dns_name_resolve(xm_t) - -xen_append_log(xm_t) -xen_stream_connect(xm_t) -xen_stream_connect_xenstore(xm_t) - -optional_policy(` - dbus_system_bus_client(xm_t) - - optional_policy(` - hal_dbus_chat(xm_t) - ') -') - -optional_policy(` - virt_domtrans(xm_t) - virt_manage_images(xm_t) - virt_manage_config(xm_t) - virt_stream_connect(xm_t) -') - -######################################## -# -# SSH component local policy -# -optional_policy(` - ssh_basic_client_template(xm, xm_t, system_r) - - kernel_read_xen_state(xm_ssh_t) - kernel_write_xen_state(xm_ssh_t) - - files_search_tmp(xm_ssh_t) - - fs_manage_xenfs_dirs(xm_ssh_t) - fs_manage_xenfs_files(xm_ssh_t) - - #Should have a boolean wrapping these - fs_list_auto_mountpoints(xend_t) - files_search_mnt(xend_t) - fs_getattr_all_fs(xend_t) - fs_read_dos_files(xend_t) - fs_manage_xenfs_dirs(xend_t) - fs_manage_xenfs_files(xend_t) - - tunable_policy(`xen_use_nfs',` - fs_manage_nfs_files(xend_t) - fs_read_nfs_symlinks(xend_t) - ') - - optional_policy(` - unconfined_domain(xend_t) - ') -')